Guidelines for PSS-OS design - Iter
Guidelines for PSS-OS design - Iter
Guidelines for PSS-OS design - Iter
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
IDM UID<br />
C99J7G<br />
VERSION CREATED ON / VERSION / STATUS<br />
21 Dec 2012 / 1.0/ Approved<br />
EXTERNAL REFERENCE<br />
Memorandum / Note<br />
<strong>Guidelines</strong> <strong>for</strong> <strong>PSS</strong>-<strong>OS</strong> <strong>design</strong><br />
This document provides the guidelines to be followed by the plant system I&C <strong>design</strong>ers <strong>for</strong><br />
the development of the part the Plant System I&C which implements the occupational safety<br />
protection functions and interfacing with the Central SafetySystems <strong>for</strong> Occupational Safety<br />
(CSS-<strong>OS</strong>).<br />
Approval Process<br />
Name Action Affiliation<br />
Author Fourneron J.- M. 21-Dec-2012:signed IO/DG/DIP/CHD/CSD/PCI<br />
CoAuthor Badin R.<br />
Delannoy N.<br />
Pernin J.- M.<br />
Petitpas P.<br />
Reviewers Yonekawa I.<br />
Journeaux J.- Y.<br />
Wallander A.<br />
Fernandez Robles C.<br />
21-Dec-2012:signed<br />
03-Jan-2013:signed<br />
21-Dec-2012:signed<br />
07-Jan-2013:signed<br />
10-Jan-2013:recommended<br />
09-Jan-2013:recommended<br />
14-Jan-2013:recommended<br />
09-Jan-2013:recommended<br />
Approver Bak J.- S. 14-Jan-2013:approved IO/DG/DIP<br />
Document Security: level 1 (IO unclassified)<br />
RO: Fourneron Jean-Marc<br />
Read Access<br />
IO/DG/DIP/CHD/CSD/PCI<br />
IO/DG/DIP/CHD/CSD/PCI<br />
IO/DG/DIP/CHD/CSD<br />
IO/DG/DIP/CHD/CSD/CDC<br />
IO/DG/DIP/CHD/CSD/PCI<br />
IO/DG/DIP/CHD/CSD/PCI<br />
IO/DG/DIP/CHD/CSD<br />
IO/DG/DIP/CHD/CSD/PCI<br />
RO, project administrator, LG: PBS48 EXT, AD: ITER, AD: External Collaborators, AD: Section - CODAC,<br />
AD: Section - Plant Control and Instrumentation<br />
PDF generated on 14-Jan-2013<br />
DISCLAIMER : UNCONTROLLED WHEN PRINTED – PLEASE CHECK THE STATUS OF THE DOCUMENT IN IDM
Title (Uid)<br />
Versio<br />
n<br />
Change Log<br />
Latest Status Issue Date Description of Change<br />
<strong>Guidelines</strong> <strong>for</strong> <strong>PSS</strong>-<strong>OS</strong><br />
<strong>design</strong> (C99J7G_v1_0)<br />
<strong>Guidelines</strong> <strong>for</strong> <strong>PSS</strong>-<strong>OS</strong><br />
<strong>design</strong> (C99J7G_v0_0)<br />
v1.0 Approved 21 Dec<br />
2012<br />
v0.0 In Work 07 Nov<br />
2012<br />
Creation of the document<br />
PDF generated on 14-Jan-2013<br />
DISCLAIMER : UNCONTROLLED WHEN PRINTED – PLEASE CHECK THE STATUS OF THE DOCUMENT IN IDM
<strong>Guidelines</strong> <strong>for</strong> <strong>PSS</strong>-<strong>OS</strong> <strong>design</strong><br />
Table of Contents<br />
1 INTRODUCTION...............................................................................................................5<br />
1.1 SCOPE ................................................................................................................................6<br />
1.2 ACRONYMS ........................................................................................................................6<br />
1.3 REFERENCES ......................................................................................................................7<br />
1.3.1 Reference documents.................................................................................................7<br />
1.3.2 Applicable standards ................................................................................................7<br />
1.3.3 Hardware Reference documents ...............................................................................7<br />
1.3.4 Software Reference documents .................................................................................8<br />
1.4 PCDH CONTEXT ................................................................................................................8<br />
2 PRINCIPLES ......................................................................................................................9<br />
2.1 ROLES AND RESPONSIBILITIES............................................................................................9<br />
2.1.1 OHS HIRA process .................................................................................................10<br />
2.2 RELATION BETWEEN <strong>PSS</strong>-<strong>OS</strong> GUIDELINES AND IEC 61508 ............................................10<br />
2.3 ENVIRONMENTAL QUALIFICATION ...................................................................................10<br />
2.4 TERMINOLOGY.................................................................................................................10<br />
2.4.1 SCS-<strong>OS</strong>....................................................................................................................11<br />
2.4.2 <strong>PSS</strong>-<strong>OS</strong>....................................................................................................................11<br />
2.4.3 CSS-<strong>OS</strong>....................................................................................................................12<br />
2.4.4 PSN-<strong>OS</strong> ...................................................................................................................12<br />
2.4.5 CSN-<strong>OS</strong> ...................................................................................................................13<br />
2.4.6 Safety Function .......................................................................................................13<br />
2.4.7 Occupational Safety I&C Function.........................................................................13<br />
2.4.8 Occupational Safety Event......................................................................................14<br />
2.4.9 Occupational Safety Action.....................................................................................14<br />
2.4.10 Non-critical monitoring system...............................................................................14<br />
2.4.11 Critical monitoring system......................................................................................14<br />
2.5 <strong>OS</strong> FUNCTION SCOPE ........................................................................................................14<br />
2.5.1 Local <strong>OS</strong> function – Automatic activation ..............................................................15<br />
2.5.2 Central <strong>OS</strong> function – Automatic activation...........................................................16<br />
2.5.3 Central <strong>OS</strong> function – Manual activation...............................................................16<br />
2.5.4 Emergency buttons..................................................................................................17<br />
2.5.5 Local Access Safety functions (LAS).......................................................................19<br />
2.6 <strong>OS</strong> FUNCTION INTEGRITY .................................................................................................20<br />
2.6.1 Distinction between CSS-<strong>OS</strong> integrity, Plant System integrity and Occupational<br />
Safety function integrity ......................................................................................................20<br />
2.6.1.1 <strong>OS</strong> Local function case ...................................................................................20<br />
Page 1 of 95
2.6.1.2 <strong>OS</strong> Central Function case................................................................................21<br />
2.6.2 Design requirements to achieve a SIL level............................................................22<br />
2.6.2.1 Quantitative requirements...............................................................................23<br />
2.6.2.2 Architectural requirements..............................................................................24<br />
2.6.2.3 Voting concept ................................................................................................25<br />
2.6.3 <strong>OS</strong> function response time ......................................................................................25<br />
3 SCS-<strong>OS</strong> INTRODUCTION..............................................................................................27<br />
3.1 <strong>OS</strong> HMIS .........................................................................................................................27<br />
3.1.1 CSS-<strong>OS</strong> Operational Components ..........................................................................28<br />
3.1.1.1 Safety Critical Hardwired HMI.......................................................................29<br />
3.1.1.2 <strong>OS</strong> SCADA.....................................................................................................29<br />
3.1.2 CSS-<strong>OS</strong> Maintenance Components.........................................................................29<br />
3.1.2.1 CSS-<strong>OS</strong> Maintenance Terminals ....................................................................30<br />
3.1.2.2 CSS-<strong>OS</strong> Expert Stations .................................................................................30<br />
4 <strong>PSS</strong>-<strong>OS</strong> ARCHITECTURE .............................................................................................31<br />
4.1 <strong>PSS</strong>-<strong>OS</strong> STANDARD AVAILABILITY ARCHITECTURES .......................................................32<br />
4.1.1 Integrated I/O configuration...................................................................................32<br />
4.1.2 Remote I/O configuration .......................................................................................34<br />
4.1.3 Specific remote I/O configuration...........................................................................36<br />
4.2 <strong>PSS</strong>-<strong>OS</strong> HIGH AVAILABILITY ARCHITECTURE..................................................................38<br />
4.3 SPECIFIC <strong>PSS</strong>-<strong>OS</strong> INTER-EXCHANGES ..............................................................................39<br />
4.4 HARDWIRED ARCHITECTURE............................................................................................41<br />
5 SENSORS AND ACTUATORS.......................................................................................42<br />
5.1 IEC 61508 REQUIREMENTS AND CONCEPTS .....................................................................42<br />
5.1.1 Proven in use components ......................................................................................42<br />
5.1.2 Diversified components...........................................................................................42<br />
5.1.3 Fail-safe components ..............................................................................................42<br />
5.1.3.1 Definition ........................................................................................................42<br />
5.1.3.2 Principles.........................................................................................................43<br />
5.1.3.3 Energized to trip & de-energized to trip concepts ..........................................43<br />
5.1.3.4 Signal monitoring............................................................................................43<br />
5.1.3.5 Conclusion ......................................................................................................44<br />
5.1.4 Sensors and actuators connection to Safety Modules.............................................45<br />
5.2 SHARING OF SENSOR OR ACTUATOR BETWEEN OCCUPATIONAL SAFETY, CONVENTIONAL<br />
CONTROL AND INVESTMENT PROTECTION SYSTEMS................................................................45<br />
5.2.1 Sharing of Sensor....................................................................................................45<br />
5.2.2 Sharing of actuator .................................................................................................45<br />
6 NETWORKS .....................................................................................................................46<br />
6.1 CONNECTION BETWEEN <strong>PSS</strong>-<strong>OS</strong> AND CSS-<strong>OS</strong>................................................................46<br />
6.2 CONNECTION BETWEEN <strong>PSS</strong>-<strong>OS</strong> AND THE I/O MODULES.................................................47<br />
Page 2 of 95
6.3 CONNECTION BETWEEN DIFFERENT <strong>PSS</strong>-<strong>OS</strong> IN THE SAME PLANT SYSTEM.......................49<br />
6.4 CONNECTION BETWEEN DIFFERENT <strong>PSS</strong>-<strong>OS</strong> IN DIFFERENT PLANT SYSTEMS....................50<br />
7 HARDWARE ....................................................................................................................51<br />
7.1 <strong>PSS</strong>-<strong>OS</strong> PLC ...................................................................................................................51<br />
7.2 <strong>PSS</strong>-<strong>OS</strong> CUBICLES ...........................................................................................................52<br />
7.2.1 Cubicle Monitoring.................................................................................................52<br />
7.3 <strong>PSS</strong>-<strong>OS</strong> SWITCH ..............................................................................................................53<br />
7.3.1 Conceptual principles .............................................................................................53<br />
7.3.2 Switch Specifications ..............................................................................................53<br />
7.4 <strong>PSS</strong>-<strong>OS</strong> SIGNAL CABLING ................................................................................................54<br />
7.4.1 PSN-<strong>OS</strong> Network.....................................................................................................54<br />
7.4.2 Sensor / actuator .....................................................................................................54<br />
7.5 <strong>PSS</strong>-<strong>OS</strong> POWERING..........................................................................................................54<br />
7.5.1 Conceptual principles .............................................................................................54<br />
7.5.2 CPU racks...............................................................................................................55<br />
7.5.3 Peripheral racks......................................................................................................57<br />
7.5.4 Network products ....................................................................................................58<br />
7.5.5 Cubicle Power distribution .....................................................................................58<br />
8 SOFTWARE TOOLS AND REQUIREMENTS ...........................................................59<br />
8.1 SIEMENS TOOLS ............................................................................................................59<br />
8.2 CODAC TOOLS................................................................................................................59<br />
8.2.1 Self-description Data Toolkit (SDD) ......................................................................60<br />
8.2.2 Control System Studio.............................................................................................60<br />
8.2.2.1 Operator Interface (BOY) ...............................................................................60<br />
8.2.2.2 Alarm Interface (BEAST)...............................................................................60<br />
8.2.2.3 Engineering Archives (BEAUTY)..................................................................60<br />
9 SOFTWARE INTERFACES AND FUNCTIONAL REQUIREMENTS ...................61<br />
9.1 <strong>OS</strong> FUNCTIONAL MONITORING INTERFACE......................................................................61<br />
9.1.1 <strong>OS</strong> Common Concepts ............................................................................................62<br />
9.1.1.1 <strong>OS</strong> Function State and Status..........................................................................62<br />
9.1.1.2 <strong>OS</strong> Function Reset ..........................................................................................63<br />
9.1.1.3 Override ..........................................................................................................63<br />
9.1.1.4 Time stamping ................................................................................................63<br />
9.1.1.5 Alarm Management.........................................................................................64<br />
9.1.1.6 Naming convention.........................................................................................64<br />
9.1.2 Occupational Safety Standard ................................................................................64<br />
9.1.2.1 <strong>OS</strong> Standard Function .....................................................................................64<br />
9.1.2.2 <strong>OS</strong> Standard Emergency Button Monitoring..................................................67<br />
9.1.2.3 <strong>OS</strong> Specific Function ......................................................................................69<br />
9.2 <strong>OS</strong> INTERFACE BETWEEN <strong>PSS</strong>-<strong>OS</strong> PLC AND CSS-<strong>OS</strong> PLC.............................................70<br />
9.3 <strong>OS</strong> HARDWARE MONITORING INTERFACE .......................................................................70<br />
Page 3 of 95
9.4 <strong>PSS</strong>-<strong>OS</strong> SOFTWARE STRUCTURE ......................................................................................70<br />
9.4.1 S<strong>PSS</strong> Architecture and data exchanges ..................................................................71<br />
9.4.2 Safety application....................................................................................................71<br />
9.5 DELIVERABLES RELATED TO THE CSS-<strong>OS</strong> CONFIGURATIONS ..........................................72<br />
10 DEVELOPMENT AND INTEGRATION......................................................................73<br />
11 INSTALLATION..............................................................................................................74<br />
12 TESTING AND ACCEPTANCE TESTS.......................................................................75<br />
12.1 ENTRY CRITERIA ..............................................................................................................75<br />
12.2 ACCEPTANCE PROCESS.....................................................................................................75<br />
12.3 ACCEPTANCE CRITERIA....................................................................................................75<br />
12.4 FAT .................................................................................................................................76<br />
12.5 SAT .................................................................................................................................76<br />
13 STANDARDS COMPLIANCE AND CERTIFICATION REQUIREMENTS ..........78<br />
14 PERIODIC TESTS PRINCIPLE ....................................................................................79<br />
APPENDIX 1 – DETAILED LOGIC HARDWARE LISTS ................................................80<br />
APPENDIX 2 – VARIABLE TABLE FOR <strong>OS</strong> STANDARD FUNCTION ........................85<br />
APPENDIX 3 – FUNCTIONAL REPRESENTATION OF <strong>OS</strong> STANDARD FUNCTION<br />
94<br />
APPENDIX 4 – VARIABLE TABLE FOR <strong>OS</strong> STANDARD EMERGENCY BUTTON<br />
MONITORING .........................................................................................................................95<br />
Page 4 of 95
1 Introduction<br />
Occupational safety (<strong>OS</strong>) is a cross-disciplinary area concerned with protecting the safety, health and welfare of<br />
people engaged in work or employment. The goal of all occupational safety and health programs is to foster a safe<br />
work environment.<br />
In the ITER project, safety concerns are divided into:<br />
• Nuclear safety risks related to internal and external exposure to ionizing radiation and releases of<br />
radioactive material,<br />
• Occupational safety risks, covering all non-nuclear risks.<br />
Occupational safety risks may include:<br />
• Work in confined spaces,<br />
• Proximity to heavy duty equipment,<br />
• Elevated loads,<br />
• Pressure build-up in circuits,<br />
• High temperature,<br />
• Cryogenic risks,<br />
• Electrical risks,<br />
• Magnetic risks,<br />
• Oxygen depletion,<br />
• …<br />
Two types of protection can be found <strong>for</strong> <strong>OS</strong> risks:<br />
<br />
<br />
Internal protections implemented within system <strong>design</strong>. These are inherent protections embedded in the<br />
component, assembly or system itself and which do not involve I&C Systems (e.g. safety relief valves,<br />
cages, locking system....),<br />
I&C protections, which are instrumented functions which protect and warn personnel against possible<br />
immediate risks due to machine or systems failure, malfunctioning or normal hazardous operation (e.g.<br />
oxygen monitoring, leak detection……).<br />
The Safety Control System <strong>for</strong> Occupational Safety (SCS-<strong>OS</strong>) provides an I&C safety system <strong>for</strong> the entire ITER<br />
plant <strong>for</strong> the protection of people and the environment, covering occupational safety issues related to non-nuclear<br />
risks.<br />
This SCS-<strong>OS</strong> contains a central part, the Central Safety System (CSS-<strong>OS</strong>) linked to local parts, the Plant Safety<br />
Systems (<strong>PSS</strong>-<strong>OS</strong>), by a Central Safety Network (CSN-<strong>OS</strong>). A plant safety system <strong>for</strong> <strong>OS</strong> is an I&C safety system<br />
of a plant system which implements occupational safety functions.<br />
The following elements are not included in the safety I&C system <strong>for</strong> occupational safety:<br />
• Fire detection and protection systems, as these are independent systems delivered by PBS.62 and 63<br />
(Buildings),<br />
• Radiation protection system, as it is an independent system delivered by PBS.64 (Radiological and<br />
Environmental Monitoring),<br />
• Access control system, which provides access to controlled zones where it is necessary to control on<br />
site movement and to ensure that only properly authorized people have access, as it is an independent<br />
system delivered by PBS.69 (Access Control and Security Systems),<br />
• Fences, management of access to dangerous areas with a captive key system, administrative procedures,<br />
training of operators… as these are not electrical/electronic/programmable safety-related systems (not<br />
safety instrumentation and control systems),<br />
• I&C functions that have no specific Safety Integrity Level (SIL according to IEC 61508) requirements,<br />
as these systems can be implemented with conventional I&C,<br />
• Nuclear Safety Control System,<br />
• Interlock Control System, which is devoted to investment protection.<br />
Page 5 of 95
To implement this architecture all <strong>OS</strong> actors (<strong>PSS</strong>-<strong>OS</strong> and CSS-<strong>OS</strong>) will incorporate interface management<br />
(hardware and software) described in this document.<br />
1.1 Scope<br />
This document provides the guidelines to be followed by the plant system I&C <strong>design</strong>ers <strong>for</strong> the development of<br />
the <strong>PSS</strong>-<strong>OS</strong> which implements the occupational safety protection functions and interfaces to the Central Safety<br />
Systems <strong>for</strong> Occupational Safety (CSS-<strong>OS</strong>).<br />
1.2 Acronyms<br />
Acronym<br />
Item<br />
BCR Backup Control Room (building 24)<br />
BSR Backup Server Room (building 24)<br />
CDR Conceptual Design review<br />
CFC Continuous Function Charts<br />
CSN Central Safety Network<br />
CSS Central Safety System<br />
CIS Central Interlock System<br />
CODAC Control, Data Access and Communication<br />
CPU Central Processing Unit<br />
EEE Electronic, Electrical and Electromechanical<br />
E/E/PE Electrical / Electronic / Programmable Electronic<br />
FAT Factory Acceptance Tests<br />
FDR Final Design Review<br />
HFT Hardware Fault Tolerant<br />
HIRA Hazard Identification and Risk Assessment<br />
HMI Human-Machine Interface<br />
HO Hand Over<br />
I&C Instrumentation & Control<br />
IEC International Electrotechnical Commission<br />
IO ITER Organization<br />
I/O Input / Output<br />
IOC Input Output Controller<br />
LAS Local Access Safety<br />
MCR Main Control Room (building 71)<br />
MRR Manufacturing Readiness Review<br />
MSR Main Server Room (building 71)<br />
OHS Occupational Health and Safety<br />
<strong>OS</strong> Occupational Safety<br />
PBS Plant Breakdown System<br />
PCDH Plant Control Design Handbook<br />
PDR Preliminary Design Review<br />
PFD Probability of Failure on Demand<br />
PFH Probability of Failure per Hour<br />
Page 6 of 95
PLC<br />
PR<br />
PS<br />
PSCC<br />
PSH<br />
PSN<br />
<strong>PSS</strong><br />
QC<br />
RFE<br />
RO<br />
SAT<br />
SCADA<br />
SCS<br />
Programmable Logic Controller<br />
Project Requirements (ITER)<br />
Plant System<br />
Plant System Conventional Control<br />
Plant System Host<br />
Plant Safety Network<br />
Plant Safety System<br />
Quality Control<br />
Ready For Equipment<br />
Responsible Officer<br />
Site Acceptance Tests<br />
Supervisory Control And Data Acquisition<br />
Safety Control System<br />
For a complete list of ITER<br />
abbreviations refer to [RD11],<br />
ITER<br />
Abbreviations<br />
[ITER_D_2MU6W5].<br />
1.3 References<br />
1.3.1 Reference<br />
documents<br />
SIL Safety Integrity Level<br />
[RD1]. Project<br />
SNP Safety Network Panel<br />
Requirements<br />
(PR)<br />
S<strong>PSS</strong> Standard PLC Software Structure<br />
[ITER_D_27ZRW8 ]<br />
[RD2]. Plant Control<br />
SQS Safety, Quality and Security Department<br />
Design Handbook (PCDH)<br />
SRD System Requirements Document<br />
[ITER_D_27LH2V]<br />
[RD3]. SRD-48<br />
(Central Safety System) from DOORS [ITER_D_2EBF97]<br />
[RD4]. CSS-<strong>OS</strong> SRD Complements about functional requirements [ITER_D_9GJ9G9]<br />
[RD5]. C-DDD Access Safety [ITER_D_3ESV5P]<br />
[RD6]. ITER Policy on EEE in Tokamak complex [ITER_D_6ZV6S3]<br />
[RD7]. Guidance <strong>for</strong> EEE in Tokamak complex [ITER_D_7NPFMA]<br />
[RD8]. Occupational Health and Safety Management Plan [ITER_D_6LCG7B]<br />
[RD9]. Procedure <strong>for</strong> Occupational Health and Safety Hazard Identification and Assessment<br />
[ITER_D_AJLQRF]<br />
[RD10]. Integration Scheme and procedure <strong>for</strong> Plant System I&C [ITER_D_3VVU9W]<br />
[RD11]. ITER Abbreviations [ITER_D_2MU6W5]<br />
1.3.2 Applicable standards<br />
[RS1]. IEC 61508: Functional safety of electrical/electronic/programmable electronic safety-related<br />
systems.<br />
[RS2]. IEC 61511: Functional safety- safety instrumented systems <strong>for</strong> the process industry sector.<br />
1.3.3 Hardware Reference documents<br />
[RD12]. ITER Catalogue <strong>for</strong> I&C products – Cubicle [ITER_D_35LXVZ]<br />
[RD13]. ITER Catalogue <strong>for</strong> I&C products – Slow Controllers [ITER_D_333J63]<br />
[RD14]. <strong>Guidelines</strong> <strong>for</strong> I&C Cubicle configurations [ITER_D_476HUG]<br />
[RD15]. I&C Cubicle Monitoring System – Hardware Specifications [ITER_D_7KK29M]<br />
[RD16]. I&C Cubicle Monitoring System – Functional Specifications [ITER_D_7A45LE]<br />
[RD17]. I&C Cubicle Internal Configuration [ITER_D_4H5DW6]<br />
[RD18]. Electrical <strong>design</strong> Handbook (EDH) [ITER_D_2F7HD2]<br />
[RD19]. IO cable catalogue [ITER_D_355QX2]<br />
[RD20]. EDH Part 4: Earthing [ITER_D_2ELREB]<br />
1.3.4 Software Reference documents<br />
[RD21].<br />
PLC Software Engineering Handbook [ITER_D_3QPL4H]<br />
Page 7 of 95
[RD22].<br />
[RD23].<br />
[RD24].<br />
CODAC Core System Overview [ITER_D_34SDZ5]<br />
Philosophy of ITER Alarm System Management [ITER_D_3WCD7T]<br />
SIEMENS S7 Safety Engineering System Manual [SIEMENS_A5E00109529-06]<br />
1.4 PCDH context<br />
The [RD2], Plant Control Design Handbook (PCDH), defines methodology, standards, specifications and<br />
interfaces applicable to the whole life cycle of ITER plant systems Instrumentation & Control (I&C) Systems.<br />
I&C standards are essential <strong>for</strong> ITER to:<br />
• Integrate all plant systems into one integrated control system,<br />
• Maintain all plant systems after delivery acceptance,<br />
• Contain cost by economy of scale.<br />
PCDH comprises a core document which presents the plant system I&C life cycle and recaps the main rules to be<br />
applied to the plant system I&Cs <strong>for</strong> conventional controls, interlocks and safety controls. Some I&C topics are<br />
explained in greater detail in dedicated documents associated with PCDH [RD2]. This document is one of them.<br />
PCDH core and satellite documents: v7<br />
INTERLOCK CONTROLS<br />
<strong>Guidelines</strong> PIS <strong>design</strong> (3PZ2D2)<br />
<strong>Guidelines</strong> <strong>for</strong> PIS integration & config.<br />
Management of local interlock functions<br />
PIS Operation and Maintenance<br />
PS CONTROL DESIGN<br />
Plant system I&C architecture (32GEBH)<br />
Methodology <strong>for</strong> PS I&C specifications (353AZY)<br />
CODAC Core System Overview (34SDZ5)<br />
I&C CONVENTIONS<br />
I&C Signal and variable naming (2UT8SH)<br />
ITER CODAC Glossary (34QECT)<br />
ITER CODAC Acronym list (2LT73V)<br />
OCCUPATIONAL SAFETY CONTROLS<br />
<strong>Guidelines</strong> <strong>for</strong> <strong>PSS</strong>-<strong>OS</strong> <strong>design</strong><br />
NUCLEAR PCDH (2YNEFU)<br />
CATALOGUES <strong>for</strong> PS CONTROL<br />
Slow controllers products (333J63)<br />
Fast controller products (345X28)<br />
Cubicle products (35LXVZ)<br />
Integration kit <strong>for</strong> PS I&C<br />
Core PCDH (27LH2V)<br />
Plant system control philosophy<br />
Plant system control Life Cycle<br />
Plant system control specifications<br />
CODAC interface specifications<br />
Interlock I&C specification<br />
Safety I&C specification<br />
PS CONTROL DEVELOPMENT<br />
I&C signal interface (3299VT)<br />
PLC software engineering handbook (3QPL4H)<br />
<strong>Guidelines</strong> <strong>for</strong> fast controllers (333K4C)<br />
CODAC software development environment (2NRS2K)<br />
<strong>Guidelines</strong> <strong>for</strong> I&C cubicle configurations (4H5DW6)<br />
CWS case study specifications (35W299)<br />
PS SELF DESCRIPTION DATA<br />
Self description schema documentation (34QXCP)<br />
PS CONTROL INTEGRATION<br />
The CODAC -PS Interface (34V362)<br />
PS I&C integration plan (3VVU9W)<br />
ITER alarm system management (3WCD7T)<br />
ITER operator user interface (3XLESZ)<br />
<strong>Guidelines</strong> <strong>for</strong> PON archiving<br />
PS Operating State management (AC2P4J)<br />
<strong>Guidelines</strong> <strong>for</strong> Diagnostic data structure (354SJ3)<br />
Legend<br />
This document<br />
Available and approved<br />
Expected<br />
(XXXXXX) IDM ref.<br />
Figure 1.1: PCDH documents structure<br />
Page 8 of 95
2 Principles<br />
This chapter describes the common environment <strong>for</strong> all occupational safety actors.<br />
The first sections introduce the roles and responsibilities of each actor, IEC standards and the ITER environment<br />
qualification principle. The next section explains the specific terminology used in this document. Another section<br />
defines the various occupational safety function types necessary to cover all the <strong>OS</strong> needs. The last section<br />
highlights some of the important IEC concepts which have to be followed.<br />
2.1 Roles and responsibilities<br />
In the ITER plant system procurement model, the occupational safety issues will be identified by the <strong>design</strong>ers of<br />
the plant systems (either in IO or in the Domestic Agencies).<br />
There<strong>for</strong>e, the approach is bottom-up. Those in charge of the <strong>design</strong> and procurement of plant systems should<br />
identify occupational safety issues and try to mitigate them by using internal protections as far as possible (refer to<br />
chapter 1 - Introduction). If the remaining risk is still higher than the targeted acceptable risk, entities in charge of<br />
the <strong>design</strong> and procurement of plant systems should consider using Instrumentation and Control (I&C) functions<br />
as additional means to reduce the risk.<br />
<br />
<br />
<br />
Reference list of<br />
Hazards<br />
Policies <strong>for</strong> main<br />
categories of risks<br />
(regulations, standard,<br />
overall strategy <strong>for</strong><br />
prevention, mitigation,<br />
technological<br />
choices…)<br />
OHS Hazard and<br />
Identification<br />
procedure<br />
SQS scope of<br />
responsibility<br />
PS RO scope of<br />
responsibility<br />
PBS.48 scope of<br />
responsibility<br />
PS I&C TROs<br />
joined<br />
responsibility<br />
OHS HIRA process<br />
<strong>for</strong> a Plant System<br />
RO: PS RO with<br />
support of SQS,<br />
Operation, CHD/CS,<br />
BSI, QA<br />
PS OHS HIRA<br />
Approved by PS<br />
directorate Head<br />
Includes preventive and<br />
reactive risk mitigating<br />
measures and detection<br />
requirements.<br />
I&C part feeds PCDH “I8”<br />
document<br />
<strong>OS</strong> I&C function<br />
specification with SIL<br />
allocation<br />
RO: PS TRO<br />
With support of SQS, CHD/<br />
CSD, AOP, BSI<br />
<strong>OS</strong> I&C functional<br />
specifications<br />
Approved by PS RO<br />
“D1” <strong>for</strong> <strong>OS</strong> function<br />
PCDH <strong>for</strong> <strong>OS</strong> I&C<br />
<strong>PSS</strong>-<strong>OS</strong> guidelines<br />
PBS.48 RO<br />
Interface Sheets<br />
PBS.xx/PBS.48<br />
<strong>for</strong> <strong>OS</strong> I&C<br />
PBS.xx<br />
procurements<br />
PBS.xx RO<br />
PBS.48<br />
Procurement<br />
PBS.48 RO<br />
Figure 2.1: <strong>OS</strong> I&C Specification<br />
Page 9 of 95
The <strong>design</strong> and implementation of the <strong>PSS</strong>-<strong>OS</strong> fall under the responsibility of the IO or Domestic Agency<br />
responsible officer <strong>for</strong> the corresponding plant system.<br />
The <strong>design</strong> and implementation of the CSS-<strong>OS</strong> and CSN-<strong>OS</strong> fall under the responsibility of the PBS48 (CSS)<br />
responsible officer at IO.<br />
2.1.1 OHS HIRA process<br />
The controls <strong>for</strong> occupational health and safety (OHS) risks and hazards are identified by thorough and<br />
comprehensive hazard identification and risk assessment process (OHS HIRA). This will be <strong>for</strong>mally documented<br />
and approved and take into account the potential severity of injuries and illnesses as a result of unwanted events<br />
during construction and operation of the ITER plant and systems.<br />
Once these controls have been identified, the residual risk will be re-assessed to evaluate the adequacy of the<br />
controls applied.<br />
OHS HIRA is part of the OHS management work cycle as described in [RD8], Occupational Health and Safety<br />
Management Plan [ITER_D_6LCG7B].<br />
The plant systems <strong>design</strong>ers must refer to the [RD9], OHS HIRA procedure document [ITER_D_AJLQRF] to set<br />
up everything required to identify the <strong>OS</strong> risks related to the <strong>design</strong> of plant systems.<br />
Note: OHS HIRA is an iterative process which needs continuous review.<br />
This plant system HIRA process delivers the requirements <strong>for</strong> the <strong>OS</strong> I&C functions.<br />
2.2 Relation between <strong>PSS</strong>-<strong>OS</strong> <strong>Guidelines</strong> and IEC 61508<br />
These guidelines highlight important requirements and define specific ITER <strong>design</strong> features concerning<br />
integration, interfaces with the central system <strong>for</strong> occupational safety and overall operation, but they are not a<br />
substitute <strong>for</strong> the IEC standards <strong>for</strong> the requirements <strong>for</strong> SIL certification which must still be met. It is the<br />
responsibility of the plant system supplier to organize a safety assessment of the <strong>PSS</strong>-<strong>OS</strong> by a third party, and to<br />
demonstrate by this mean the compliance to the IEC 61508.<br />
2.3 Environmental qualification<br />
ITER plant systems will contain a large quantity of electronic, electrical, and electromechanical (EEE)<br />
components. Many of them will be, by necessity, located in the radiation and magnetic fields in the TOKAMAK<br />
Complex and can be negatively affected by these environmental conditions.<br />
This is the reason why ITER plant electronic, electrical and electro-mechanical systems, and among them the <strong>PSS</strong>-<br />
<strong>OS</strong>, must comply with the requirements <strong>for</strong> operating within the TOKAMAK Complex.<br />
Refer to [RD6], ITER Policy on EEE in the Tokamak Complex [ITER_D_6ZX6S3] and [RD7], Guidance <strong>for</strong> EEE<br />
in Tokamak Complex [ITER_D_7NPFMA] <strong>for</strong> more details.<br />
2.4 Terminology<br />
This section introduces the basic concepts of <strong>OS</strong> to be taken into account by the plant systems.<br />
Page 10 of 95
2.4.1 SCS-<strong>OS</strong><br />
The Safety Control System <strong>for</strong> Occupational Safety (SCS-<strong>OS</strong>) provides an I&C safety system <strong>for</strong> the entire ITER<br />
plant <strong>for</strong> the protection of people and the environment regarding occupational safety issues related to non-nuclear<br />
risks.<br />
This SCS-<strong>OS</strong> contains a central part, the Central Safety System (CSS-<strong>OS</strong>) linked to local parts, the Plant Safety<br />
Systems (<strong>PSS</strong>-<strong>OS</strong>), by a Central Safety Network (CSN-<strong>OS</strong>). A plant safety system <strong>for</strong> <strong>OS</strong> is an I&C safety system<br />
of a plant system containing occupational safety functions.<br />
Control-room<br />
CSS<br />
-<strong>OS</strong><br />
Sco<br />
pe op<br />
e<br />
Server-room<br />
CSS-<strong>OS</strong><br />
Engineering<br />
Workstation<br />
CSS-<strong>OS</strong><br />
Maintenance<br />
Terminal<br />
Safety Critical<br />
Hardwired<br />
HMI<br />
CSS-<strong>OS</strong><br />
Safety PLC<br />
CSS-<strong>OS</strong><br />
Servers<br />
CSS-<strong>OS</strong><br />
Terminal<br />
SCS<br />
-<strong>OS</strong><br />
Sco<br />
pe op<br />
e<br />
<strong>PSS</strong>- <strong>OS</strong><br />
<strong>OS</strong><br />
Sc<br />
Scop<br />
eop<br />
e<br />
<strong>PSS</strong>-<strong>OS</strong><br />
Safety PLC<br />
Plant systems<br />
CSN-<strong>OS</strong><br />
Figure 2.2: SCS-<strong>OS</strong> Overview and scope of the document<br />
Caution: the redundancy in the Control Room and the Server Room is not represented in figure 2.2.<br />
2.4.2 <strong>PSS</strong>-<strong>OS</strong><br />
The Plant Safety Systems <strong>for</strong> Occupational Safety (<strong>PSS</strong>-<strong>OS</strong>) are part of the plant systems I&C.<br />
Every plant system that requires an I&C function with a SIL allocation above SIL1 (refer to IEC 61508 [RS1]and<br />
OHS HIRA procedure [RD9] must have a <strong>PSS</strong>-<strong>OS</strong> to reduce the <strong>OS</strong> risks it generates.<br />
Caution: the passive protections ensured by the system <strong>design</strong> (safety relief valves, cages, locking system…..) are<br />
unrelated to the I&C system and are there<strong>for</strong>e out of the scope of this document.<br />
The <strong>PSS</strong>-<strong>OS</strong> per<strong>for</strong>ms the <strong>OS</strong> I&C functions, by means of sensors, PLCs and actuators.<br />
Page 11 of 95
Each <strong>PSS</strong>-<strong>OS</strong> provides local protection by implementing the local occupational safety functions of the<br />
corresponding plant system. A <strong>PSS</strong>-<strong>OS</strong> may also participate in the central safety functions coordinated by the<br />
CSS-<strong>OS</strong>.<br />
It is the responsibility of the plant system responsible officer to supply, implement and operate:<br />
- Sensors and actuators involved in <strong>OS</strong> I&C functions,<br />
- <strong>PSS</strong>-<strong>OS</strong> PLC, including a standard interface with CSS-<strong>OS</strong> through CSN-<strong>OS</strong>.<br />
The <strong>PSS</strong>-<strong>OS</strong> is independent (in terms of hardware components & associated software) of the system that manages<br />
the nuclear safety I&C functions of the plant system.<br />
The <strong>PSS</strong>-<strong>OS</strong> is also independent (in terms of hardware components & associated software) of all the others I&C<br />
systems of the plant system (conventional and interlock systems).<br />
2.4.3 CSS-<strong>OS</strong><br />
The Central Safety System <strong>for</strong> Occupational Safety is the central part of the SCS-<strong>OS</strong>, which integrates functions<br />
to coordinate the locally distributed plant I&C systems. It retrieves/manages data from the distributed systems to<br />
activate protections in order to remove or reduce hazardous conditions which have been detected. It does this<br />
either automatically, or by a manual operator command from the operator’s safety desks located in the control<br />
rooms.<br />
At the central level, the Central Safety System <strong>for</strong> Occupational Safety (CSS-<strong>OS</strong>, managed by PBS.48) is<br />
responsible <strong>for</strong> providing:<br />
- CSS-<strong>OS</strong> PLCs which host safety applications <strong>for</strong> coordinating the plant systems,<br />
- Human machine interfaces <strong>for</strong> the supervisory features of all the <strong>OS</strong> I&C functions that have to be<br />
reported in control rooms: monitoring, control, diagnostic, maintenance and archiving,<br />
- A dedicated redundant network (CSN-<strong>OS</strong>, refer to section 2.3.5) to enable communication between all<br />
the <strong>OS</strong> systems,<br />
- Engineering workstations,<br />
- Hardwired panels to manage central functions with manual activation and to display in<strong>for</strong>mation that<br />
requires a high reliability.<br />
The CSS-<strong>OS</strong> is implanted in the server-rooms and control-rooms of buildings 71 and 24. The CSS-<strong>OS</strong> is beyond<br />
the scope of this document.<br />
The CSS-<strong>OS</strong> is independent from the system that manages nuclear safety functions.<br />
Notes:<br />
- PBS.48 (CSS) also implements central systems <strong>for</strong> nuclear safety. The <strong>design</strong> of this system is detailed in<br />
a dedicated document.<br />
- The Central Safety Systems together with CODAC and the Central Interlock System (CIS) <strong>for</strong>m the<br />
ITER I&C Central Systems.<br />
2.4.4 PSN-<strong>OS</strong><br />
The Plant Safety Network <strong>for</strong> Occupational Safety (PSN-<strong>OS</strong>) is the <strong>OS</strong> field network.<br />
It provides communication between the components involved in the <strong>OS</strong> functions inside one plant system. The<br />
PSN-<strong>OS</strong> connects the <strong>PSS</strong>-<strong>OS</strong> PLC in a plant system to the sensors and actuators in the same plant system when<br />
distributed I/O stations are used.<br />
The PSN-<strong>OS</strong> will also connect <strong>PSS</strong>-<strong>OS</strong> PLCs together when there is more than one in a plant system.<br />
The PSN-<strong>OS</strong> in one plant system will not be shared with other plant systems.<br />
Page 12 of 95
Server room<br />
CSS-<strong>OS</strong><br />
Safety<br />
PLC<br />
CSN-<strong>OS</strong><br />
<strong>PSS</strong>-<strong>OS</strong><br />
Safety<br />
PLC<br />
Plant System<br />
PSN-<strong>OS</strong><br />
Remote I/O<br />
station<br />
T<br />
To other remote I/O Station<br />
T: transmitter<br />
Figure 2.3: PSN-<strong>OS</strong> Network<br />
2.4.5 CSN-<strong>OS</strong><br />
The Central Safety Network <strong>for</strong> Occupational Safety is the <strong>OS</strong> network.<br />
It provides communication between the plant safety systems and the Central Safety System <strong>for</strong> inter-plant system<br />
<strong>OS</strong> protection and monitoring functions via a redundant industrial Ethernet network.<br />
The CSN-<strong>OS</strong> is composed of two redundant networks and is independent of the network that manages the nuclear<br />
safety functions.<br />
The supply of the CSN-<strong>OS</strong> beyond the scope of the plant systems.<br />
The plant system providers are responsible <strong>for</strong> the <strong>PSS</strong>-<strong>OS</strong> connection to these redundant networks.<br />
2.4.6 Safety Function<br />
Safety function definition from IEC 61508 Part 3:<br />
‘’Function to be implemented by an E/E/PE safety-related system, other technology safety-related system or<br />
external risk reduction facilities, which is intended to achieve or maintain a safe state <strong>for</strong> the EUC, in respect of a<br />
specific hazardous event’’<br />
‘’Electrical / electronic / programmable electronic (E/E/PE): based on electrical (E) and/or electronic (E)<br />
and/or programmable electronic (PE) technology’’<br />
‘’Equipment under control (EUC): equipment, machinery, apparatus or plant used <strong>for</strong> manufacturing, process,<br />
transportation, medical or other activities’’<br />
2.4.7 Occupational Safety I&C Function<br />
This is a safety I&C function that addresses a specific occupational safety hazard.<br />
Page 13 of 95
2.4.8 Occupational Safety Event<br />
This is the plant system state or combination of states involving one or several different plant systems that could<br />
potentially result in injuries and illnesses to people, and that triggers an action of the corresponding <strong>PSS</strong>-<strong>OS</strong><br />
and/or the CSS-<strong>OS</strong>.<br />
The plant system state is usually determined through sensors.<br />
2.4.9 Occupational Safety Action<br />
These are measures or sequences of measures carried out by the <strong>PSS</strong>-<strong>OS</strong> and/or the CSS-<strong>OS</strong> to mitigate the risks<br />
following an occupational safety event. These protection actions are managed by the <strong>PSS</strong>-<strong>OS</strong> when the measures<br />
are restricted to the plant system which detected the event and by the CSS-<strong>OS</strong> when various plant systems are<br />
involved.<br />
2.4.10 Non-critical monitoring system<br />
The non-critical monitoring system, which is mainly composed of computerized HMIs, monitors occupational<br />
safety functions. These computerized HMIs are located in the control and the server rooms depending on the<br />
associated user activities.<br />
This system does not contribute to the SIL classified safety I&C functions.<br />
2.4.11 Critical monitoring system<br />
The critical monitoring system is a component of the CSS-<strong>OS</strong> monitoring system which has the ability to<br />
contribute to the SIL2 or SIL3 classified occupational safety I&C functions, unlike the non-critical monitoring<br />
system through CSS-<strong>OS</strong> terminals (which can only be accredited up to SIL1). Physically, this system will be<br />
implemented as two redundant hardwired panels, one in the Main Control Room <strong>for</strong> the safety operators, and the<br />
other in the Back-Up Control Room.<br />
These components monitor and also control some specific critical <strong>OS</strong> functions.<br />
2.5 <strong>OS</strong> function scope<br />
Given the organizational division of ITER and in order to meet the safety requirements, the functional<br />
requirements address two different needs:<br />
- Each plant system must have the means to detect and reduce its own <strong>OS</strong> risks locally,<br />
- If different plant systems are involved in the same <strong>OS</strong> function, a central system must coordinate the<br />
locally distributed safety systems.<br />
Two categories of occupational safety functions are defined:<br />
- “Requiring human intervention” type: high occupational risks that require a human response. The alarms<br />
and in<strong>for</strong>mation related to these functions are displayed on a very reliable hardwired HMI (in the CSS-<br />
<strong>OS</strong> scope) because they trigger an action by the operator and consequently the safety action.<br />
- “Automatic” type: in this case, the risk is controlled by the SCS-<strong>OS</strong> without any human intervention.<br />
These functions are monitored from a computerized HMI, with detailed diagnostic per<strong>for</strong>mance.<br />
Apart from a minimal number of specific cases, the occupational risk functions are automatic functions.<br />
From these requirements and to cover all future <strong>OS</strong> functions, CSS has defined <strong>OS</strong> function types. These<br />
types should cover the complete needs of <strong>PSS</strong>-<strong>OS</strong>. The following sections describe these <strong>OS</strong> function types.<br />
Page 14 of 95
2.5.1 Local <strong>OS</strong> function – Automatic activation<br />
As a consequence of the identification process of safety functions described in [RD8], the Occupational Health<br />
and Safety Management Plan [ITER_D_6LCG7B] and of the type of occupational risks, the majority of<br />
occupational safety I&C functions will be completely implemented at a plant system level. Hence, most <strong>OS</strong><br />
functions will be local functions.<br />
The plant system has the means of detecting its <strong>OS</strong> risk (it has its own sensors) and of reducing it (its own<br />
actuators) thereby per<strong>for</strong>ming an automatic safety protection or mitigation action to control the risk.<br />
There<strong>for</strong>e, throughout their its cycle the plant system is fully responsible <strong>for</strong> the safety level of its own<br />
occupational safety I&C functions as defined in the applicable standards [RS1] and [RS2].<br />
The central I&C system <strong>for</strong> occupational safety does not play an active role in the safety function. It is in charge<br />
of non-critical actions such as the reset of functions and it is in<strong>for</strong>med about changes of state of the plant system.<br />
These <strong>OS</strong> I&C functions are called “local” safety functions.<br />
Central System<br />
Critical Monitoring<br />
System<br />
Safety Monitoring<br />
System<br />
Not used <strong>for</strong> this case<br />
Not used <strong>for</strong> this case<br />
Monitoring<br />
Coordination System<br />
Reset<br />
Risk detecting<br />
System<br />
Event or action transmission<br />
Risk eliminating<br />
System<br />
Event<br />
Action<br />
Plant System<br />
Sensor<br />
Actuator<br />
Safety critical component (contributes to the SIL classified safety I&C functions)<br />
Safety monitoring component (does not contribute to the SIL classified safety I&C functions)<br />
Figure 2.4: Local function mechanisms<br />
Note: the risk detecting system and the risk eliminating system can be in the same PLC.<br />
The majority of the occupational safety I&C functions will be fully implemented in one plant system. Given this<br />
local function concept, a specific <strong>OS</strong> standard has been developed by CSS in order to define the monitoring<br />
interface between the <strong>PSS</strong>-<strong>OS</strong> and the CSS-<strong>OS</strong> (refer to section 9.1.2.1 <strong>for</strong> more details)<br />
Page 15 of 95
2.5.2 Central <strong>OS</strong> function – Automatic activation<br />
Some <strong>OS</strong> I&C functions may concern two or more plant systems.<br />
In this case, the occupational safety events are detected by the plant system(s) and transmitted to the central <strong>OS</strong><br />
I&C system which takes a safety decision and dispatches the required safety actions to the other plant system(s)<br />
involved.<br />
The plant systems providing part of the function must achieve the required safety level defined by the relevant<br />
standards [RS1] and [RS2].<br />
The central system is also responsible of the supervisory features that do not require a safety level.<br />
These <strong>OS</strong> I&C functions are called “central” safety functions.<br />
Central System<br />
Critical Monitoring<br />
System<br />
Safety Monitoring<br />
System<br />
Not used <strong>for</strong> this case<br />
Monitoring<br />
Monitoring<br />
Coordination System<br />
Event transmission<br />
Reset<br />
Action transmission<br />
Monitoring<br />
Risk detecting<br />
System<br />
Risk eliminating<br />
System<br />
Event<br />
Action<br />
Sensor<br />
Plant System X<br />
Actuator<br />
Plant System Y<br />
Safety critical component (contributes to the SIL classified safety I&C functions)<br />
Safety monitoring component (does not contribute to the SIL classified safety I&C functions)<br />
Figure 2.5: Central function mechanisms<br />
2.5.3 Central <strong>OS</strong> function – Manual activation<br />
Some safety functions require an operator to take a safety decision to trigger a safety action.<br />
In this case, the occupational safety events are detected by the plant system(s) and transmitted to the central <strong>OS</strong><br />
I&C system which alerts the safety operator through a very reliable HMI. This HMI allows commands to be<br />
executed on the central system which in turn dispatches the required safety actions to the plant system(s).<br />
Page 16 of 95
The central system contributes to the safety integrity level of these functions. The plant systems providing part of<br />
the function must be accredited at the required safety integrity level defined by the relevant standards ([RS1] and<br />
[RS2]).<br />
The central system is responsible <strong>for</strong> the critical monitoring and critical control of the functions which require a<br />
safety level and <strong>for</strong> non-critical supervisory features that do not require a safety integrity level.<br />
Central System<br />
Critical Monitoring<br />
System<br />
Safety Monitoring<br />
System<br />
Monitoring<br />
Critical Monitoring<br />
Event transmission<br />
Monitoring<br />
Critical Control<br />
Coordination System<br />
Reset<br />
Action transmission<br />
Monitoring<br />
Risk detecting<br />
System<br />
Risk eliminating<br />
System<br />
Event<br />
Action<br />
Sensor<br />
Plant System X<br />
Actuator<br />
Plant System Y<br />
Safety critical component (contributes to the SIL classified safety I&C functions)<br />
Safety monitoring component (does not contribute to the SIL classified safety I&C functions)<br />
Figure 2.6: Central function mechanisms - requiring operator intervention<br />
Note: the risk eliminating system can be included in the same plant system as the risk detecting system.<br />
2.5.4 Emergency buttons<br />
Emergency stop buttons and call buttons will be installed throughout the ITER facilities and will be managed by<br />
the SCS-<strong>OS</strong>.<br />
Multisystem Emergency Stop Buttons: These are generally installed on the walls, at the room entrance or<br />
in strategic areas and are dedicated to personal safety. They will trigger the safety systems that put the<br />
associated systems in a safe state. PBS.69 “Access Control & Security Systems” will install these buttons<br />
and provide their status to the Central I&C system <strong>for</strong> occupational safety. The latter will distribute the<br />
stop command detected by PBS.69 to each plant system affected. The principles are the same as <strong>for</strong> the<br />
central function mechanisms (refer to Figure 2.5).<br />
Page 17 of 95
General Electrical Power Emergency Stop Buttons: These are generally installed on the walls, at the room<br />
entrance or in strategic areas (building level <strong>for</strong> example) and are dedicated to shut-off the electricity in<br />
specific area(s) <strong>for</strong> safe intervention by the fire brigade. PBS.43 “Steady State Electrical Power Supply<br />
Networks” will have to detect the activation of the button, to provide this in<strong>for</strong>mation to the Central I&C<br />
system <strong>for</strong> occupational safety and to shut-off the electricity. The Central I&C system <strong>for</strong> occupational<br />
safety will only be responsible of the supervisory features. The principles are the same as <strong>for</strong> the local<br />
function mechanisms (refer to Figure 2.4).<br />
Emergency Call & Stop Buttons in the TOKAMAK Building: These alert the control room and stop and<br />
prevent on-going plasma operations (<strong>for</strong> example in the case of someone trapped in the building during a<br />
countdown). PBS.69 “Access Control & Security Systems” will install these buttons and provide their<br />
status to the Central I&C system <strong>for</strong> occupational safety. The Central I&C system <strong>for</strong> occupational safety<br />
may transmit the status of these buttons to the Central I&C System <strong>for</strong> nuclear safety (CSS-N) to stop or<br />
prevent on-going hazardous operations in the Tokamak Building. The Central I&C system <strong>for</strong><br />
occupational safety is also responsible <strong>for</strong> alerting the control room staff through a highly reliable and<br />
available system.<br />
CSS-<strong>OS</strong><br />
Critical Monitoring<br />
System<br />
Safety Monitoring<br />
System<br />
Critical Monitoring<br />
Monitoring<br />
Reset<br />
Monitoring<br />
Coordination System<br />
Event transmission<br />
CSS-N<br />
Risk detecting<br />
System<br />
Event<br />
Sensor<br />
PBS69<br />
Safety critical component (contributes to the SIL classified safety I&C functions)<br />
Safety monitoring component (does not contribute to the SIL classified safety I&C functions)<br />
Figure 2.7: Emergency call & stop button in TOKAMAK building mechanisms<br />
Emergency Call Buttons in other buildings: Unlike the emergency call & stop buttons in the Tokamak<br />
Building which put the system in safe state and simultaneously alert the control room, emergency call<br />
buttons only alert control room to trigger an emergency intervention. These buttons will be installed by<br />
PBS.69 “Access Control & Security Systems” which will provide the Central I&C system <strong>for</strong><br />
Page 18 of 95
occupational safety with the status of these emergency call buttons. The Central I&C system <strong>for</strong><br />
occupational safety will be responsible <strong>for</strong> reporting this emergency to the control rooms with a highly<br />
reliable and available system.<br />
Central System<br />
Critical Monitoring<br />
System<br />
Safety Monitoring<br />
System<br />
Monitoring<br />
Critical Monitoring<br />
Reset<br />
Monitoring<br />
Coordination System<br />
Event transmission<br />
Risk detecting<br />
System<br />
Event<br />
Sensor<br />
PBS69<br />
Safety critical component (contributes to the SIL classified safety I&C functions)<br />
Safety monitoring component (does not contribute to the SIL classified safety I&C functions)<br />
Figure 2.8: Emergency call button in other building mechanisms<br />
Note: Plant System Emergency Stop devices or emergency switch off devices: These are generally installed in<br />
front of doors to electrical board systems or near electrical motors. They stop the process when a problem is<br />
detected by an operator (e.g. smoke or strange sound). The emergency stop devices or emergency switch off<br />
devices (under the responsibility of the plant system concerned) will be monitored by their conventional control<br />
system only and the status reported to the CODAC system. In parallel, operators can actuate the nearest<br />
emergency call button.<br />
Given these emergency button concepts, CSS has developed a specific <strong>OS</strong> standard to define the monitoring<br />
interface between the <strong>PSS</strong>-<strong>OS</strong> and the CSS-<strong>OS</strong> (refer to section 9.1.2.2 <strong>for</strong> more details).<br />
2.5.5 Local Access Safety functions (LAS)<br />
As described in [RD5], the Conceptual System Design Description of Access Safety System [ITER_D_3ESV5P],<br />
the SCS-<strong>OS</strong> is responsible <strong>for</strong> implementing the access safety functions concerning occupational safety risks.<br />
Local access safety functions (LAS) to protect people from non-nuclear risks in case of intrusion will be<br />
implemented to stop plant system equipment on the opening of a door and to remove the source of risks or to ban<br />
access to an area if a risk is detected.<br />
Page 19 of 95
The plant system will be responsible <strong>for</strong> detecting the risk and <strong>for</strong> removing it, stopping the equipment or banning<br />
access to the area.<br />
There<strong>for</strong>e, as is the case <strong>for</strong> local occupational safety functions, the plant system will be responsible <strong>for</strong> the safety<br />
level of its own access safety I&C functions and systems.<br />
The Central I&C system <strong>for</strong> occupational safety will only be responsible <strong>for</strong> the supervisory features that do not<br />
require a safety level.<br />
The principles are the same as <strong>for</strong> local function mechanisms (refer to Figure 2.4).<br />
2.6 <strong>OS</strong> function integrity<br />
The safety functions of the SCS-<strong>OS</strong> have to fulfill the requirements of the IEC 61508 standard [RS1] and<br />
the IEC 61511 standard [RS2] throughout the life cycle of safety functions.<br />
IEC 61508 and IEC 61511 define four discrete Safety Integrity Levels (from 1 to 4). Each level corresponds to a<br />
probability range <strong>for</strong> the failure of a safety function. The higher the Safety Integrity Level of the safety-related<br />
systems, the lower the probability that they will not per<strong>for</strong>m the requested safety function.<br />
This section highlights some of the key concepts of I&C safety standards. However, the Plant System<br />
<strong>design</strong>er has to refer to the standards themselves <strong>for</strong> the exhaustive list of the requirements to achieve the<br />
targeted SIL level.<br />
2.6.1 Distinction between CSS-<strong>OS</strong> integrity, Plant System integrity and<br />
Occupational Safety function integrity<br />
There are two steps in order to <strong>design</strong> Plant System integrity:<br />
1. The first is the separate <strong>design</strong> of each <strong>OS</strong> function (local function) or part of <strong>OS</strong> functions (central<br />
function) inside the Plant System. The SIL defined <strong>for</strong> each <strong>OS</strong> function and the associated IEC<br />
requirements are the main inputs <strong>for</strong> this step.<br />
2. The second step is the global <strong>design</strong> of the <strong>PSS</strong>-<strong>OS</strong> according to all of the <strong>OS</strong> function safety integrity<br />
levels (local function) and all parts of the <strong>OS</strong> function (central function) implemented in the <strong>PSS</strong>-<strong>OS</strong>.<br />
These steps and the associated local and central function requirements are developed below.<br />
2.6.1.1 <strong>OS</strong> Local function case<br />
First step: the separate <strong>design</strong><br />
For occupational safety local functions, the level to be allocated is based on a calculation which only concerns the<br />
<strong>PSS</strong>-<strong>OS</strong> PLC, the sensors & associated signal conditioning (event) and the actuators (action).<br />
Page 20 of 95
Event<br />
Subsystem<br />
<strong>PSS</strong>-<strong>OS</strong> 1<br />
Logic solver<br />
Subsystem<br />
Action<br />
Subsystem<br />
Local calculation<br />
Plant System 1 integrity area example<br />
Figure 2.9: Local Calculation<br />
The <strong>design</strong>er of the Plant System will take all IEC requirements <strong>for</strong> each <strong>OS</strong> function into account to obtain the<br />
relevant SIL level (refer to section 2.6.2).<br />
Second step: the global <strong>design</strong><br />
According to the following IEC 61508 requirements, the <strong>PSS</strong>-<strong>OS</strong> will be <strong>design</strong>ed with the highest SIL of the<br />
functions deployed.<br />
From IEC 61508 Part 1 Section 7.6.2.10:<br />
‘’For an E/E/PE safety-related system that implements safety functions of different safety integrity levels, unless it<br />
can be shown there is sufficient independence of implementation between these particular safety functions, those<br />
parts of the safety-related hardware and software where there is insufficient independence of implementation shall<br />
be treated as belonging to the safety function with the highest safety integrity level. There<strong>for</strong>e, the requirements<br />
applicable to the highest relevant safety integrity level shall apply to all those parts’’<br />
Example:<br />
SIL2 Local <strong>OS</strong><br />
Function<br />
<strong>PSS</strong>-<strong>OS</strong> SIL2<br />
Architecture<br />
SIL2 Local <strong>OS</strong><br />
Function<br />
+<br />
SIL3 Local <strong>OS</strong><br />
Function<br />
<strong>PSS</strong>-<strong>OS</strong> SIL3<br />
Architecture<br />
Figure 2.10: Local Function synthesis principle<br />
2.6.1.2 <strong>OS</strong> Central Function case<br />
First step: the separate <strong>design</strong><br />
For the <strong>OS</strong> central functions, the level allocated is based on a calculation concerning all the associated safety<br />
components: the CSS-<strong>OS</strong> PLC, the various <strong>PSS</strong>-<strong>OS</strong> PLC involved and the associated sensors and actuators.<br />
Page 21 of 95
In the following figure, a <strong>PSS</strong>-<strong>OS</strong> (<strong>PSS</strong>-<strong>OS</strong> 1) integrates part of an occupational safety central function.<br />
Event<br />
Subsystem<br />
<strong>PSS</strong>-<strong>OS</strong> 1<br />
Logic solver<br />
Subsystem<br />
CSS-<strong>OS</strong><br />
Logic solver<br />
Subsystem<br />
<strong>PSS</strong>-<strong>OS</strong> 2<br />
Logic solver<br />
Subsystem<br />
Action<br />
Subsystem<br />
Central calculation<br />
Plant System 1 integrity area example<br />
Figure 2.11: Central Calculation<br />
For the central <strong>OS</strong> functions, the <strong>PSS</strong>-<strong>OS</strong> is one of several actors concerned with the SIL allocations. The <strong>design</strong>er<br />
of the Plant System will take all IEC requirements in account <strong>for</strong> each local part of the <strong>OS</strong> functions to achieve the<br />
relevant SIL level (refer to section 2.6.2)<br />
The set of subsystem calculations will demonstrate the overall SIL level of the complete <strong>OS</strong> function.<br />
Second step: the global <strong>design</strong><br />
According to the following IEC 61508 requirements, the <strong>PSS</strong>-<strong>OS</strong> will be <strong>design</strong>ed with the highest SIL of the<br />
functions deployed.<br />
Example:<br />
SIL2 Local Part of<br />
<strong>OS</strong> central<br />
Function<br />
<strong>PSS</strong>-<strong>OS</strong> SIL2<br />
Architecture<br />
SIL2 Local Part of<br />
<strong>OS</strong> central<br />
Function<br />
+<br />
SIL3 Local Part of<br />
<strong>OS</strong> central<br />
Function<br />
<strong>PSS</strong>-<strong>OS</strong> SIL3<br />
Architecture<br />
Figure 2.12: Central Function synthesis mechanisms<br />
2.6.2 Design requirements to achieve a SIL level<br />
For each safety function, there are three main types of requirements that have to be met in order to achieve a given<br />
SIL:<br />
<br />
<br />
<br />
A quantitative requirement, expressed as a probability of failure on demand (PFD) or alternatively as the<br />
probability of a dangerous failure per hour (PFH),<br />
An architectural requirement, expressed in terms of constraints on the subsystems per<strong>for</strong>ming the safety<br />
function,<br />
Requirements concerning which techniques and measures should be used to avoid and control systematic<br />
faults.<br />
Page 22 of 95
2.6.2.1 Quantitative requirements<br />
According to IEC 61508 and IEC 61511, the safety integrity requirements <strong>for</strong> each safety function should be<br />
specified in terms of either:<br />
<br />
<br />
The average probability of a dangerous failure on demand of the safety function, <strong>for</strong> a low demand mode<br />
of operation (PFD),<br />
The average frequency of a dangerous failure of the safety function, <strong>for</strong> a continuous or high demand<br />
mode of operation (PFH or λ).<br />
It should be noted that the SIL requirement applies to a complete function, i.e. the field sensor (event), the logic<br />
solver and the final element (action). It is there<strong>for</strong>e incorrect to refer to any individual item or equipment having a<br />
safety integrity level. A separate component can be certified <strong>for</strong> a particular SIL application, but such a certificate<br />
constitutes only part of the verification ef<strong>for</strong>t, since the required failure probability from IEC 61508 Tables must<br />
be verified <strong>for</strong> the complete function.<br />
Example 1: Local <strong>OS</strong> function in high demand mode<br />
PFH1 PFH2 PFH3<br />
Event<br />
Subsystem1<br />
<strong>PSS</strong>-<strong>OS</strong> 1<br />
Logic<br />
solver<br />
Subsystem2<br />
Action<br />
Subsystem3<br />
SIL 2 CLAIM<br />
PFH1 + PFH2 + PFH3 < 10 -6<br />
Plant System 1 integrity area example<br />
Figure 2.13: Local Function mechanisms<br />
Page 23 of 95
Example 2: Central <strong>OS</strong> function in high demand mode<br />
PFH1<br />
PFH2<br />
PFH3<br />
PFH4<br />
PFH5<br />
Event<br />
<strong>PSS</strong>-<strong>OS</strong> 1<br />
Logic<br />
solver<br />
CSS-<strong>OS</strong><br />
Logic<br />
solver<br />
<strong>PSS</strong>-<strong>OS</strong> 2<br />
Logic<br />
solver<br />
Action<br />
Subsystem1 Subsystem2 Subsystem3 Subsystem4<br />
Subsystem5<br />
SIL 2 CLAIM<br />
PFH1 + PFH2 + PFH3 + PFH4 + PFH5 < 10 -6<br />
Plant System 1 integrity area example<br />
Figure 2.14: Central Function mechanisms<br />
The Plant System 1 <strong>design</strong>er will take care of the whole subsystems <strong>for</strong> the first example whereas he will only<br />
take care of two subsystems (event & <strong>PSS</strong>-<strong>OS</strong> 1 logic solver) <strong>for</strong> the second example.<br />
2.6.2.2 Architectural requirements<br />
Following the same philosophy as <strong>for</strong> the quantitative requirements, functions must be broken down into<br />
subsystems or blocks: event (sensor & signal converting), logic solver (PLC) and action (final element).<br />
For safety instrumented functions, each subsystem or block will have a minimum hardware fault tolerance (HFT).<br />
From IEC 61508 Part 4 Section 3.6.3:<br />
‘’Fault tolerance: it is the ability of a functional unit to continue to per<strong>for</strong>m a required function in the presence of<br />
faults or errors’’.<br />
From IEC 61508 Part 2 Section 7.4.4.1.1:<br />
‘’A hardware fault tolerance of N means that N+1 is the minimum number of faults that could cause a loss of the<br />
safety function’’.<br />
There are 3 possibilities <strong>for</strong> the HFT value:<br />
<br />
<br />
<br />
HFT=0, Single-channel use. A single fault may cause a loss of safety.<br />
HFT=1, redundant version. At least two hardware faults have to occur at the same time to cause a loss of<br />
safety.<br />
HFT=2, dual redundancy version. At least three hardware faults have to occur at the same time to cause a<br />
loss of safety.<br />
Refer to [RS1], IEC 61508 standard part 2 section 7.4.4 <strong>for</strong> more detail about architectural requirements.<br />
Page 24 of 95
2.6.2.3 Voting concept<br />
The voting logic (MooN) is one of the main concepts directly associated with the quantitative requirements. It<br />
allows the architecture of each subsystem to be specified.<br />
MooN: ‘’Safety instrumented system, or part thereof, made up of “N” independent channels, which are so<br />
connected, that “M” channels are sufficient to per<strong>for</strong>m the safety instrumented function’’(From IEC 61511 Part 1<br />
Section 3.2.45).<br />
<br />
<br />
<br />
<br />
1 out of 1 architecture (1oo1):<br />
‘’This architecture consists of a single channel, where any dangerous failure leads to a failure of the<br />
safety function when a demand arises’’ (From IEC 61508 Part 6 Section B2.2.1).<br />
This architecture corresponds to HFT=0.<br />
1 out of 2 architecture (1oo2):<br />
‘’This architecture consists of two channels connected in parallel, such that either channel can process<br />
the safety function. Thus there would have to be a dangerous failure in both channels be<strong>for</strong>e a safety<br />
function failed on demand. It is assumed that any diagnostic testing would only report the faults found<br />
and would not change any output states or change the output voting’’(From IEC 61508 Part 6 Section<br />
B2.2.2).<br />
This architecture corresponds to HFT=1.<br />
2 out of 2 architecture (2oo2):<br />
‘’This architecture consists of two channels connected in parallel so that both channels need to demand<br />
the safety function be<strong>for</strong>e it can take place. It is assumed that any diagnostic testing would only report the<br />
faults found and would not change any output states or change the output voting’’ (From IEC 61508 Part<br />
6 Section B2.2.3).<br />
This architecture corresponds to HFT=0.<br />
2 out of 3 architecture (2oo3):<br />
‘’This architecture consists of three channels connected in parallel with a majority voting arrangement<br />
<strong>for</strong> the output signals, such that the output state is not changed if only one channel gives a different result<br />
which disagrees with the other two channels.<br />
It is assumed that any diagnostic testing would only report the faults found and would not change any<br />
output states or change the output voting’’ (From IEC 61508 Part 6 Section B2.2.5).<br />
This architecture corresponds to HFT=1.<br />
2.6.3 <strong>OS</strong> function response time<br />
One impact that the choice of architecture has is on the <strong>OS</strong> function response time. The safety system must be<br />
capable of detecting the hazardous event and responding in time to mitigate its consequences, which means <strong>for</strong><br />
example, <strong>for</strong> local functions involving only one controller, per<strong>for</strong>ming the following actions:<br />
1. Sense the out-of-control condition,<br />
2. Digital filtering of input signal,<br />
3. Input process scan time,<br />
4. PLC program scan time,<br />
5. Any trip delay timers set to remove process noise must time out,<br />
6. Output process scan time,<br />
7. Digital filtering of output signal,<br />
8. Fully actuate the output device.<br />
If several PLCs are involved in the <strong>OS</strong> function (central functions or local functions involving several PLCs), the<br />
communication time and PLC program scan time of each PLC must be added.<br />
Page 25 of 95
How much time the safety system has to respond depends on the dynamics of the process and the conditions<br />
initiating its actions. The available process safety time <strong>for</strong> any given safeguard starts when it is necessary to take<br />
action and ends at the point where the event can no longer be prevented.<br />
The process safety time is defined as the time period between a failure occurring in the process or the basic<br />
process control system (with the potential to cause a hazardous event) and the occurrence of the hazardous event if<br />
the safety instrumented function is not per<strong>for</strong>med.<br />
Process Limit<br />
Hazardous event<br />
Fault Not Managed<br />
Fault Managed<br />
Activation Point<br />
Process Safety Time<br />
Fault Occurs<br />
Sensor<br />
detection<br />
time<br />
Fault Detected<br />
Time to React<br />
Action Taken<br />
Actuator<br />
time<br />
Process Reacts<br />
Cushion<br />
Figure 2.15: Time to respond to abnormal situations<br />
The time to react is data defined <strong>for</strong> each <strong>OS</strong> function. It determines the techniques to use <strong>for</strong> the implementation<br />
of the function. The time to react is the time elapsed between the risk occurrence and the mitigation request (when<br />
action is requested).<br />
In the case of a central function, this time constraint has to be shared between the different parts of the function<br />
(the different <strong>PSS</strong>-<strong>OS</strong> and the CSS-<strong>OS</strong>).<br />
Page 26 of 95
3 SCS-<strong>OS</strong> Introduction<br />
The SCS-<strong>OS</strong> is <strong>for</strong>med by the <strong>OS</strong> Central Safety System and the different plant safety systems <strong>for</strong> occupational<br />
safety of each plant system.<br />
The <strong>OS</strong> Central Safety System (CSS-<strong>OS</strong>) is linked to local parts, the Plant Safety Systems (<strong>PSS</strong>-<strong>OS</strong>), by a<br />
redundant Central Safety Network (CSN-<strong>OS</strong>).<br />
To meet all <strong>OS</strong> requirements, the CSS-<strong>OS</strong> System is composed of a safety logic system (to coordinate <strong>OS</strong> central<br />
functions) and a SCADA system (to supervise all local and central <strong>OS</strong> functions).<br />
The following sections focus on the different <strong>OS</strong> human machine interfaces <strong>design</strong>ed to be used by the various <strong>OS</strong><br />
actors.<br />
Note: The elements are described here mainly <strong>for</strong> in<strong>for</strong>mation purposes, as the <strong>PSS</strong>-<strong>OS</strong> <strong>design</strong>er will finally build<br />
the interface with those components, even if in some cases it is an indirect interface.<br />
The different software tools associated with each component are developed in chapter 8 – Software.<br />
3.1 <strong>OS</strong> HMIs<br />
There are four dedicated human machine interfaces <strong>for</strong> the occupational safety System:<br />
- CSS-<strong>OS</strong> operating terminals,<br />
- Safety critical hardwired HMI,<br />
- CSS-<strong>OS</strong> maintenance terminals,<br />
- SIEMENS engineering workstation.<br />
Page 27 of 95
Control-room<br />
Safety Critical<br />
Hardwired HMI<br />
CSS-<strong>OS</strong><br />
Terminal<br />
Server-room<br />
SIEMENS<br />
Engineering<br />
Workstation<br />
CSS-<strong>OS</strong><br />
Maintenance<br />
Terminal<br />
CSS-<strong>OS</strong><br />
Safety PLC<br />
CSS-<strong>OS</strong><br />
Server<br />
PLC IOC<br />
<strong>PSS</strong>x-<strong>OS</strong><br />
Plant systems<br />
CSN-<strong>OS</strong><br />
Safety critical component<br />
Safety monitoring component<br />
Figure 3.1: <strong>OS</strong> HMIs and associated components<br />
Caution: the redundancy in the Control Room and the Server Room is not represented in figure 3.1.<br />
The figure above focuses on the different human machine interfaces (the other CSS-<strong>OS</strong> components are not<br />
represented).<br />
The routine access to the various <strong>PSS</strong>-<strong>OS</strong> is done from the control and server rooms using the SCS-<strong>OS</strong><br />
infrastructure. The <strong>PSS</strong>-<strong>OS</strong> will mainly connect to two interfacing components: the CSS-<strong>OS</strong> Safety PLC<br />
associated with the safety critical hardwired HMI and the CSS-<strong>OS</strong> server PLC IOC.<br />
Note: The CSS-<strong>OS</strong> Server PLC IOC developed by PBS45 (CODAC), responds to the needs <strong>for</strong> PLC integration (it<br />
derives from the PSH of PBS45).<br />
3.1.1 CSS-<strong>OS</strong> Operational Components<br />
There are two types of operational component:<br />
The Safety Critical Hardwired HMI,<br />
The <strong>OS</strong> SCADA.<br />
Page 28 of 95
3.1.1.1 Safety Critical Hardwired HMI<br />
When the monitoring (or control) impacts on the triggering of safety actions and also requires a safety level (SIL),<br />
a very reliable (hardwired) supervisory device will be <strong>design</strong>ed.<br />
It may be required <strong>for</strong> “not fully automatic” high occupational risks that require a human response (i.e. command)<br />
to trigger the safety function, or to display critical occupational safety function alarms or states.<br />
The redundant safety critical hardwired HMIs are located in the control rooms and are connected to the CSS-<strong>OS</strong><br />
Safety PLC through specific redundant remote I/O stations.<br />
Note: This component only concerns a very few occupational safety parameters.<br />
3.1.1.2 <strong>OS</strong> SCADA<br />
The <strong>OS</strong> SCADA is done through the CSS-<strong>OS</strong> terminals located in the control rooms. They support the<br />
monitoring (and control) and have no impact on the actuation of an <strong>OS</strong> function. Support is via:<br />
<br />
<br />
<br />
<strong>OS</strong> process views (Global and detailed) (in CSS-<strong>OS</strong> scope),<br />
Alarm list views (in CSS-<strong>OS</strong> scope),<br />
Archived data list views (in CSS-<strong>OS</strong> scope).<br />
The main feature <strong>for</strong> an <strong>OS</strong> function is the reset command. The <strong>OS</strong> reset commands are sent by authorised<br />
operators from the CSS-<strong>OS</strong> operating terminals using the detail views. These commands are needed <strong>for</strong> <strong>OS</strong><br />
operation but cannot modify the critical machine protection configuration of the <strong>PSS</strong>-<strong>OS</strong>. They are transmitted via<br />
the redundant CSN-<strong>OS</strong>.<br />
Note: The CSS-<strong>OS</strong> terminal technology is a dedicated CODAC Core System and the interface to the <strong>PSS</strong>-<strong>OS</strong> is<br />
through the CSS-<strong>OS</strong> Server PLC IOC.<br />
The CODAC Core System distribution includes the tools to build the EPICS software that is necessary <strong>for</strong><br />
integrating PLCs into the CODAC infrastructure.<br />
The communications between the CSS-<strong>OS</strong> Server and the S7 PLCs are based on an existing EPICS driver (SLS<br />
s7plc) that has been extended by IO.<br />
These communications are implemented by means of exchanges of variables between the CSS-<strong>OS</strong> server and the<br />
PLCs.<br />
From the operator interface requirements of IEC 61511-1:<br />
“The SIS status in<strong>for</strong>mation that is critical to maintaining the SIL shall be available as part of the operator<br />
interface. This in<strong>for</strong>mation may include:<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
where the process is in its sequence;<br />
indication that SIS protective action has occurred;<br />
indication that a protective function is bypassed;<br />
indication that automatic action(s) such as degradation of voting and/or fault handling has occurred;<br />
status of sensors and final elements;<br />
the loss of energy where that energy loss impacts safety;<br />
the results of diagnostics;<br />
failure of environmental conditioning equipment which is necessary to support the SIS”<br />
3.1.2 CSS-<strong>OS</strong> Maintenance Components<br />
There are two types of maintenance component:<br />
The CSS-<strong>OS</strong> maintenance terminals,<br />
The CSS-<strong>OS</strong> expert stations.<br />
Page 29 of 95
3.1.2.1 CSS-<strong>OS</strong> Maintenance Terminals<br />
Through the specific CSS-<strong>OS</strong> terminals located in the server rooms, SCS-<strong>OS</strong> displays the detailed state of the<br />
occupational safety system to the maintenance team via:<br />
<br />
<br />
<br />
<br />
Slow controller hardware diagnostic supervision views (in <strong>PSS</strong>-<strong>OS</strong> and CSS-<strong>OS</strong> scope),<br />
Cubicle hardware diagnostic supervision views (in <strong>PSS</strong>-<strong>OS</strong> and CSS-<strong>OS</strong> scope),<br />
Network component hardware diagnostic supervision views (in CSS-<strong>OS</strong> scope),<br />
Inter-systems communication diagnostic supervision views (in CSS-<strong>OS</strong> scope).<br />
The CSS-<strong>OS</strong> maintenance terminals also allow override operations without disturbing the Control Room<br />
Operator during maintenance phases.<br />
Note: The CSS-<strong>OS</strong> terminal technology is a dedicated CODAC Core System and the interface to the <strong>PSS</strong>-<strong>OS</strong> is<br />
through the CSS-<strong>OS</strong> Server PLC IOC.<br />
3.1.2.2 CSS-<strong>OS</strong> Expert Stations<br />
An engineering workstation is necessary <strong>for</strong> changing PLC application configuration and online monitoring. This<br />
station contains the off-line version of the application running inside all PLC of CSS-<strong>OS</strong> and <strong>PSS</strong>-<strong>OS</strong>.<br />
The redundant SIEMENS engineering workstation is directly connected to CSN-<strong>OS</strong> and exchanges data with<br />
CSS-<strong>OS</strong> PLC and <strong>PSS</strong>-<strong>OS</strong> PLC through the SIEMENS proprietary protocol.<br />
Page 30 of 95
4 <strong>PSS</strong>-<strong>OS</strong> Architecture<br />
Each plant system will have its own <strong>PSS</strong>-<strong>OS</strong> architecture <strong>design</strong>ed taking into account the following:<br />
Functional requirements,<br />
Safety integrity level and availability of each <strong>OS</strong> function,<br />
Type of the <strong>OS</strong> function (local or central),<br />
IEC 61508 & IEC 61511 requirements,<br />
ITER catalogues.<br />
All actors of the ITER I&C System (<strong>PSS</strong>-<strong>OS</strong> and CSS-<strong>OS</strong> <strong>for</strong> Occupational Safety) will use [RD13], the ITER<br />
Catalogue <strong>for</strong> Slow Controller [ITER_D_333J63].<br />
This ITER Slow Controller Catalogue is composed of a selected from the SIEMENS products.<br />
Among these SIEMENS products, two specific fail-safe systems are available <strong>for</strong> integrating safety engineering<br />
into SIMATIC S7 automation systems:<br />
<br />
<br />
The S7 Distributed safety System,<br />
The S7 F/FH System.<br />
Each system has specific hardware components and software tools associated with it:<br />
<br />
<br />
The first system (S7 Distributed safety System) will be used by the <strong>PSS</strong>-<strong>OS</strong> to build standard availability<br />
architectures (<strong>for</strong> SIL2 and SIL3 <strong>OS</strong> functions),<br />
The second system (S7 F/FH System) will be used by the <strong>PSS</strong>-<strong>OS</strong> to build high availability architectures<br />
(only <strong>for</strong> specific <strong>OS</strong> functions).<br />
Note 1: Some hardware components are common between the 2 SIMATIC S7 systems (principally, remote I/O<br />
station and safety I/O modules).<br />
Note 2: No SIL4 occupational safety functions have been identified yet.<br />
The functional requirements may require an:<br />
Interface with the CSS-<strong>OS</strong> SCADA,<br />
Interface with the CSS-<strong>OS</strong> Safety PLC (<strong>for</strong> central <strong>OS</strong> functions).<br />
Be<strong>for</strong>e describing the different <strong>PSS</strong>-<strong>OS</strong> architectures, it is necessary to list the main architectural requirements:<br />
1. Unless it is strictly necessary, only one <strong>PSS</strong>-<strong>OS</strong> logic architecture should be implemented per plant<br />
system. However, more than one architecture may be found inside the same plant system when it hosts<br />
different <strong>PSS</strong>-<strong>OS</strong> (it may be necessary to implement safety functions in several <strong>PSS</strong>-<strong>OS</strong> due to<br />
application size and complexity, or distribution throughout the site).<br />
2. Ideally one plant system contains only one plant safety system which is solely responsible within the<br />
plant system <strong>for</strong> the local and central safety function. The <strong>PSS</strong> controls and monitors the occupational<br />
safety sensors and actuators via the plant safety networks and it constitutes the interface to the CSS-<strong>OS</strong><br />
via the central safety networks.<br />
3. Whenever possible, only one <strong>PSS</strong>-<strong>OS</strong> in the plant system is connected to the CSS-<strong>OS</strong> via the CSN-<strong>OS</strong>.<br />
This master <strong>PSS</strong>-<strong>OS</strong> of the plant system is the single access point to CSN/CSS.<br />
4. Each field network must be totally independent (no link between two occupational safety field networks<br />
or other field networks (from CODAC System or Interlock System)).<br />
Page 31 of 95
4.1 <strong>PSS</strong>-<strong>OS</strong> standard availability architectures<br />
The <strong>PSS</strong>-<strong>OS</strong> standard availability architectures demonstrate the occupational safety architecture needs when<br />
standard availability is required.<br />
These architectures are <strong>design</strong>ed to satisfy safety class requirement (Safety Integrity Level) from SIL2 to SIL3 in<br />
accordance with IEC 61508.<br />
The standard availability architectures use components selected from the S7 Distributed Safety System catalogue<br />
and the S7 F/FH System catalogue available on [RD13], ITER Catalogue <strong>for</strong> slow controllers [ITER_D_333J63].<br />
From one availability objective and two I/O configuration concepts, come three architectures. These three<br />
architectures using both S7 Safety Systems are proposed <strong>for</strong> the <strong>PSS</strong>-<strong>OS</strong> to cover most needs.<br />
1 Objective<br />
Standard Availability<br />
PLC Configuration<br />
2 I/O Concepts<br />
Integrated I/O<br />
Remote I/O<br />
3 Architectures<br />
S7 Distributed<br />
System<br />
S7 300F CPU<br />
S7 Distributed<br />
System<br />
S7 300F CPU<br />
S7 F/FH<br />
System<br />
S7 400H CPU<br />
Figure 4.1: Standard Availability Architecture definition<br />
4.1.1 Integrated I/O configuration<br />
This architecture will be used <strong>for</strong> the <strong>PSS</strong>-<strong>OS</strong> hardware configuration which only has a few I/O and is located near<br />
the <strong>PSS</strong>-<strong>OS</strong> cubicle.<br />
This is a basic and compact architecture without field network and remote stations.<br />
General requirements <strong>for</strong> this architecture are:<br />
<br />
<br />
<br />
<br />
A single CPU,<br />
A single rack,<br />
Associated safety I/O modules,<br />
A redundant connection with the redundant occupational safety acquisition networks.<br />
Only one rack (station) is necessary <strong>for</strong> the single CPU and the associated modules (power modules, network<br />
modules and I/O modules).<br />
The safety I/O modules are operated as centralized modules in the single rack.<br />
In order to connect the <strong>PSS</strong>-<strong>OS</strong> to the CSS-<strong>OS</strong>, the single CPU is connected to the redundant CSN-<strong>OS</strong> acquisition<br />
network.<br />
Detailed application <strong>for</strong> this architecture:<br />
<br />
<br />
A single SIMATIC S7-300F-2PN/DP Central Processing Unit (CPU), TÜV approved to SIL3,<br />
A single SIMATIC S7-300 rack equipped with the associated SIMATIC S7-300 Safety I/O modules.<br />
Page 32 of 95
The characteristics of the selected hardware components are described in chapter 7. The characteristics of the<br />
associated software tools are described in chapter 8.<br />
CPU<br />
Safety I/O modules<br />
Figure 4.2: SIMATIC S7-300 rack mainly equipped with S7-300F CPU and S7 Safety I/O modules<br />
I&C Architecture<br />
CSS-<strong>OS</strong><br />
Server PLC<br />
IOC<br />
CSN – <strong>OS</strong>1<br />
CSN – <strong>OS</strong>2<br />
<strong>PSS</strong>-<strong>OS</strong><br />
SIMATIC S7<br />
SIMATIC S7<br />
CPU 300F<br />
CPU 315F<br />
2 PN/DP<br />
PN/DP<br />
SENSOR<br />
ACTUATOR<br />
Figure 4.3: integrated I/O configuration example <strong>for</strong> an <strong>OS</strong> local function<br />
Page 33 of 95
Note: In a local function case, the <strong>PSS</strong>-<strong>OS</strong> configuration has only one interface with the CSS-<strong>OS</strong> (CSS-<strong>OS</strong><br />
SCADA through the CSS-<strong>OS</strong> Server PLC IOC).<br />
I&C Architecture<br />
CSS-<strong>OS</strong><br />
Server PLC<br />
IOC<br />
CSS-<strong>OS</strong><br />
Safety PLC<br />
CSN – <strong>OS</strong>1<br />
CSN – <strong>OS</strong>2<br />
<strong>PSS</strong>-<strong>OS</strong><br />
SIMATIC S7<br />
CPU 315F-2 300F -2 PN/DP<br />
SENSOR<br />
Figure 4.4: integrated I/O configuration example <strong>for</strong> an <strong>OS</strong> central function<br />
Note: In a central function case, the <strong>PSS</strong>-<strong>OS</strong> configuration has two interfaces with the CSS-<strong>OS</strong> (CSS-<strong>OS</strong> SCADA<br />
and CSS-<strong>OS</strong> Safety PLC).<br />
4.1.2 Remote I/O configuration<br />
This architecture will be used <strong>for</strong> the <strong>PSS</strong>-<strong>OS</strong> hardware configuration when there are decentralized needs or a<br />
large number of I/O.<br />
This is a standard but is not a compact architecture like the integrated I/O configuration described above.<br />
Unlike to the integrated I/O configuration, the remote I/O configuration is an architecture with a field network and<br />
remote station(s).<br />
Page 34 of 95
This architecture has two types of station (or rack), S7-300 station and S7 remote I/O station.<br />
The single CPU and the associated modules (power modules, network modules) are located in the S7-300 station<br />
(identical to the integrated configuration). The safety I/O modules are located in one of the two types of station<br />
(S7-300 station and S7 remote I/O station) according to the plant system needs.<br />
In order to link the <strong>PSS</strong>-<strong>OS</strong> to the CSS-<strong>OS</strong>, the single CPU is connected to the redundant CSN-<strong>OS</strong> acquisition<br />
network.<br />
General requirements <strong>for</strong> this architecture are:<br />
A single CPU,<br />
A single CPU station (rack),<br />
A single field network,<br />
A minimum of one remote I/O station,<br />
Associated safety I/O modules,<br />
A redundant connection with the redundant occupational safety acquisition networks.<br />
Detailed application <strong>for</strong> this architecture:<br />
<br />
<br />
<br />
<br />
<br />
A single SIMATIC S7-300F-2PN/DP Central Processing Unit (CPU), TÜV approved to SIL3,<br />
A single SIMATIC S7-300 station (rack),<br />
A single ProfiBus / ProfiSafe field network,<br />
A minimum of one SIMATIC ET200M remote I/O station,<br />
Associated SIMATIC S7-300 Safety I/O modules.<br />
The characteristics of the selected hardware components are described in chapter 7. The characteristics of the<br />
associated software tools are described in chapter 8.<br />
Safety I/O modules<br />
Figure 4.5: SIMATIC ET200M remote I/O station equipped with Safety I/O modules<br />
Page 35 of 95
CSN – <strong>OS</strong>1<br />
CSN – <strong>OS</strong>2<br />
SIMATIC<br />
SIMATIC<br />
S7<br />
S7<br />
CPU<br />
CPU<br />
315F-2<br />
300F -2<br />
PN/DP<br />
PN/DP<br />
<strong>PSS</strong>-<strong>OS</strong><br />
PSN – <strong>OS</strong><br />
PROFIBUS<br />
To other<br />
Remote I/O<br />
SIMATIC S7<br />
ET 200M<br />
Figure 4.6: remote I/O configuration principle<br />
4.1.3 Specific remote I/O configuration<br />
In the case of particular <strong>PSS</strong>-<strong>OS</strong> needs, the remote I/O configuration can be improved by using a powerful CPU<br />
from the S7 F/FH SIMATIC Safety System instead of the standard SIMATIC S7-300F-2PN/DP CPU from the S7<br />
Distributed Safety System.<br />
The choice between the two remote I/O configurations has to be made according to the process requirements (size<br />
<strong>for</strong> example).<br />
The main difference between configurations is the CPU model, which have different CPU technologies and<br />
different software <strong>for</strong> the safety management.<br />
The main parameters which have to be taken into account <strong>for</strong> the definition of the <strong>PSS</strong>-<strong>OS</strong> PLC:<br />
- The quantity of hardware inputs / outputs ,<br />
- The PLC control unit speed.<br />
This specific architecture should be used when the system to be controlled requires more than 200 inputs/outputs<br />
or when fast CPU execution is required.<br />
General requirements <strong>for</strong> this architecture are:<br />
A single CPU,<br />
A single CPU station (rack),<br />
A non-redundant field network,<br />
A minimum of one remote I/O station,<br />
Associated safety I/O modules,<br />
A redundant connection with the redundant occupational safety acquisition networks.<br />
Page 36 of 95
Caution: Unlike the next configuration, the S7-300 safety I/O modules are only located in the remote I/O station.<br />
The safety I/O modules are not compatible with the S7-400 station.<br />
Detailed application <strong>for</strong> this architecture:<br />
A single SIMATIC S7-400-5H Central Processing Unit (CPU), TÜV approved to SIL3,<br />
A single SIMATIC S7-400 station (rack),<br />
A non-redundant ProfiBus / ProfiSafe field network,<br />
A minimum of one SIMATIC ET200M remote I/O station equipped with the associated SIMATIC S7-<br />
300 Safety I/O modules.<br />
The characteristics of the selected hardware components are described in chapter 7. The characteristics of the<br />
associated software tools are described in chapter 8.<br />
Figure 4.7: SIMATIC S7-400 station mainly equipped with S7-400 5H CPU<br />
CSN – <strong>OS</strong>1<br />
CSN – <strong>OS</strong>2<br />
SIMATIC S7<br />
CPU 400 5H-2 PN/DP<br />
<strong>PSS</strong>-<strong>OS</strong><br />
PSN – <strong>OS</strong><br />
PROFIBUS<br />
To other<br />
Remote I/O<br />
SIMATIC S7<br />
ET 200M<br />
Figure 4.8: specific standard availability configuration principle<br />
Page 37 of 95
4.2 <strong>PSS</strong>-<strong>OS</strong> High availability architecture<br />
The <strong>PSS</strong>-<strong>OS</strong> high availability architecture demonstrates the occupational safety SIL3 architecture needs when<br />
high availability is required.<br />
A philosophy of redundancy is applied to all components (CPU, field network, remote I/O station and associated<br />
safety I/O modules).<br />
The high availability architecture uses components selected from the S7 F/FH System catalogue available from<br />
[RD13], the ITER Catalogue <strong>for</strong> slow controllers [ITER_D_333J63] (CPU and associated CPU station).<br />
General requirements <strong>for</strong> this architecture are:<br />
<br />
<br />
<br />
<br />
<br />
<br />
Two redundant CPUs,<br />
A minimum of one CPU station (rack),<br />
A minimum of two redundant remote I/O stations (1oo2 evaluation case),<br />
Two redundant field networks,<br />
Associated safety I/O modules,<br />
A redundant connection with the redundant occupational safety acquisition networks.<br />
Detailed application <strong>for</strong> this architecture:<br />
Two redundant SIMATIC S7-400-5H CPU, TÜV approved to SIL3,<br />
A minimum of one SIMATIC S7-400 station (rack),<br />
Two redundant ProfiBus / ProfiSafe field networks,<br />
A minimum of two redundant SIMATIC ET200M remote I/O stations equipped with associated S7-300<br />
Safety I/O modules (1oo2 evaluation case).<br />
Each redundant CPU is connected to only one redundant CSN-<strong>OS</strong> network (CSN-<strong>OS</strong> 1 or CSN-<strong>OS</strong> 2).<br />
Both CPUs are connected redundantly to all safety I/O modules via the redundant field networks (each remote I/O<br />
station is linked to the two redundant field networks).<br />
The characteristics of the selected hardware components are described in chapter 7. The characteristics of the<br />
associated software tools are described in chapter 8.<br />
Page 38 of 95
CSN – <strong>OS</strong>2<br />
CSN – <strong>OS</strong>1<br />
SIMATIC S7<br />
CPU 400-5H<br />
REDUNDANT<br />
SIMATIC S7<br />
CPU 400-5H<br />
<strong>PSS</strong>-<strong>OS</strong><br />
PSN – <strong>OS</strong>1<br />
PROFIBUS<br />
PSN – <strong>OS</strong>2<br />
PROFIBUS<br />
SIMATIC S7<br />
ET 200M<br />
To other<br />
Remote I/O<br />
REDUNDANT<br />
SIMATIC S7<br />
ET 200M<br />
Figure 4.9: redundant I/O configuration principle<br />
Figure 4.9 represents an architecture associated with an <strong>OS</strong> function with a 1oo2 sensor evaluation and a 1oo1<br />
actuator evaluation.<br />
Note: A third remote I/O station will be added in the case of a 2oo3 evaluation (sensor or actuator).<br />
There are two possibilities <strong>for</strong> the redundant CPUs layout. The first option (figure 4.9) has each CPU located in<br />
separate stations and also in a specific cubicle. The second option has the two redundant CPUs located in only one<br />
cubicle and in the same station.<br />
4.3 Specific <strong>PSS</strong>-<strong>OS</strong> inter-exchanges<br />
The <strong>PSS</strong>-<strong>OS</strong> exchanges with <strong>PSS</strong>-<strong>OS</strong> from other plant systems are per<strong>for</strong>med exclusively through the CSS-<strong>OS</strong>.<br />
Each <strong>PSS</strong>-<strong>OS</strong> is connected to the CSS-<strong>OS</strong> via the CSN-<strong>OS</strong> (industrial Ethernet) <strong>for</strong> all occupational safety<br />
functions (local or central).<br />
In some special cases, one plant system may host more than one <strong>PSS</strong>-<strong>OS</strong>. This is the case <strong>for</strong> plant systems with<br />
I&C procured by different Domestic Agencies or <strong>for</strong>med by components geographically separated over the site.<br />
In these cases, there are two possibilities:<br />
The <strong>OS</strong> functions are shared among the different <strong>PSS</strong>-<strong>OS</strong> PLC via the PSN-<strong>OS</strong> network,<br />
The <strong>OS</strong> functions are shared among the different <strong>PSS</strong>-<strong>OS</strong> PLC via the CSN-<strong>OS</strong> network.<br />
Page 39 of 95
First case:<br />
In order to have only one connection point with the CSN-<strong>OS</strong> networks, one PLC is declared as concentrator (or<br />
master) to manage the communications with the CSS-<strong>OS</strong>.<br />
Connection point<br />
CSS-<strong>OS</strong> and others <strong>PSS</strong>-<strong>OS</strong><br />
CSN-<strong>OS</strong> Backup<br />
CSN-<strong>OS</strong> Main<br />
<strong>PSS</strong>-<strong>OS</strong> 1<br />
PLC<br />
Plant Safety System 1<br />
Concentrator or Master<br />
<strong>PSS</strong>-<strong>OS</strong> 2<br />
PLC<br />
PSN-<strong>OS</strong><br />
PROFIBUS DP<br />
Plant Safety System 2<br />
<strong>PSS</strong>-<strong>OS</strong> 3<br />
PLC<br />
Plant Safety System n<br />
Figure 4.10: PSN-<strong>OS</strong> exchange principle<br />
Page 40 of 95
Second case:<br />
CSS-<strong>OS</strong> and others <strong>PSS</strong>-<strong>OS</strong><br />
Industrial Ethernet<br />
CSN-<strong>OS</strong> Backup<br />
CSN-<strong>OS</strong> Main<br />
<strong>PSS</strong>-<strong>OS</strong> 1 <strong>PSS</strong>-<strong>OS</strong> 2<br />
PLC<br />
PLC<br />
Plant Safety System 1<br />
Plant Safety System 2<br />
Figure 4.11: CSN-<strong>OS</strong> exchange principle<br />
4.4 Hardwired architecture<br />
Up to SIL3 requirements, Safety PLC solutions are generally less complex than large hardwired systems. They<br />
provide more flexibility, diagnostic and troubleshooting features and the easiest communications through the<br />
network architecture.<br />
In spite of these general statements and <strong>for</strong> some specific cases, <strong>OS</strong> functions can be implemented using a<br />
hardwired architecture if there are particular requirements that make it more appropriate.<br />
These situations have to be discussed within IO on a case by case basis.<br />
Page 41 of 95
5 Sensors and actuators<br />
Each Plant System must follow various IEC 61508 requirements in order to select each sensor and actuator. The<br />
first section of this chapter presents the IEC 61508 requirements to be followed.<br />
The second part of this chapter concerns the sharing of sensors and actuators, if required, between the different<br />
I&C Central Systems (CODAC, Interlock or Safety).<br />
5.1 IEC 61508 requirements and concepts<br />
Instrumentation using sensors and actuators poses considerable safety responsibilities.<br />
Suitably qualified sensors and actuators are necessary to achieve the safety integrity level of the <strong>OS</strong> functions.<br />
The following requirements and concepts should be taken into account <strong>for</strong> sensor <strong>design</strong> and <strong>for</strong> final control<br />
element architecture:<br />
Quantitative requirements (probability of failure, refer to section 2.3.2.1),<br />
Qualitative requirements (hardware fault tolerance, refer to section 2.3.2.2),<br />
“Proven in use” concept,<br />
Diversity concept,<br />
Fail-safe concept.<br />
The following sections describe the last 3 items.<br />
5.1.1 Proven in use components<br />
If a sensor or actuator which has not already been certified is identified, then the Plant System <strong>design</strong>er may turn<br />
to “proven in use” components.<br />
From IEC 61511 Part2 Section 11.5.3.1:<br />
“There are very few field devices (sensors and valves) that are <strong>design</strong>ed per IEC 61508-2 and IEC 61508-3. Users<br />
and <strong>design</strong>ers will there<strong>for</strong>e have to depend more heavily on using field devices that have been “proven-in-use””.<br />
Refer to [RS2], IEC 61511 standard parts 1 & 2 section 11.5.3.1 <strong>for</strong> more details about Proven in use concepts and<br />
requirements.<br />
5.1.2 Diversified components<br />
To limit common mode of failure, whenever possible, the choice of redundant instruments should be diversified<br />
(use of different technologies or different manufacturers).<br />
5.1.3 Fail-safe components<br />
5.1.3.1 Definition<br />
In the event of a failure, a fail-safe component or system will automatically switch to a safe state.<br />
In particular:<br />
<br />
<br />
In the case of a fail-safe sensor failure, the system will automatically switch to a safe state thanks to<br />
health monitoring of the signal used.<br />
In the case of failure of a de-energized to trip actuator, the system will automatically switch to a safe state<br />
in case of loss of power supply or loss of signal thanks to the safe position of the actuator.<br />
Page 42 of 95
5.1.3.2 Principles<br />
Apart from some specific cases, the <strong>design</strong> of Plant System must use fail-safe principles to initiate safety actions.<br />
This means that the safe position of an actuator is reached when the power to that actuator is switched off. So, in<br />
the event of power failure, all PLC outputs (actuators commands) will go to the de-energized condition there<strong>for</strong>e<br />
putting the actuators in the safe position. When the power is restored all outputs must remain de-energized until<br />
appropriate resets.<br />
Specific inputs/outputs that are energized-to-trip (not fail-safe) will have health monitoring on the line (supervised<br />
digital input and supervised digital output).<br />
5.1.3.3 Energized to trip & de-energized to trip concepts<br />
A safety system is typically <strong>design</strong>ed as normally energized (de-energize-to-trip) so that it is fail-safe.<br />
If there is loss of power or loss of connectivity between system components then the I&C System will respond by<br />
a tripping action. This result in higher safety integrity, but it can also result in more spurious trips of the process.<br />
Figure 5.1: De-energized to trip principle<br />
In some cases, a spurious trip can have dangerous results. For example, initiating a water deluge system inside a<br />
building can cause damage to equipment and can be hazardous to personnel. Chemical fire suppression can be<br />
dangerous to personnel, and false alarms degrade the willingness to respond by plant personnel. Energized to trip<br />
systems can help address this type of situation.<br />
In an Energized to trip <strong>design</strong>, the safety loop has to be energized in order to initiate a trip of the safety system.<br />
This means that failures such as loss of power or loss of connectivity between components have to be managed by<br />
adequate diagnostics to detect the failures. In an energized to trip <strong>design</strong>, line monitoring is essential to detect<br />
open-loops and short circuit failures in wiring between logic solver I/O and field devices.<br />
Figure 5.2: Energized to trip principle<br />
5.1.3.4 Signal monitoring<br />
From field devices of IEC 61511 Part1:<br />
”Energizing to trip discrete input/output circuits shall apply a method to ensure circuit and power supply<br />
integrity”.<br />
Page 43 of 95
5.1.3.4.1 Definition<br />
The signal monitoring consists of continuously checking the validity of the signal.<br />
First of all, it is important to differentiate between a contact normally opened and an opened contact due to a fault<br />
such as an open loop. In the same way, it is important to make the difference between a closed contact and a short<br />
circuit.<br />
Indeed, when the safety function is solicited, the signal must work and has to be sent to the safety system.<br />
The signal monitoring allows a maintenance action to be launched when a signal is not valid. In this way the<br />
signal can be repaired and the I&C system will be fully operational again.<br />
5.1.3.4.2 Application<br />
mA<br />
Case 4<br />
SIGNAL INVALID<br />
(short circuit)<br />
SAFETY<br />
ACTIVATED<br />
20,007 mA<br />
Case 3<br />
SIGNAL VALID<br />
(unsafe condition)<br />
SAFETY<br />
ACTIVATED<br />
x mA<br />
Case 2<br />
SIGNAL VALID<br />
(safe condition)<br />
SAFETY NOT<br />
ACTIVATED<br />
3,9995 mA<br />
Case 1<br />
SIGNAL INVALID<br />
(open circuit)<br />
SAFETY<br />
ACTIVATED<br />
0 mA<br />
Figure 5.3: Fail-safe principle<br />
Example with an analogue sensor:<br />
The first objective <strong>for</strong> this analogue sensor, checking a process variable, is to switch from safe condition to unsafe<br />
condition according to the x mA threshold monitoring.<br />
The second objective <strong>for</strong> this sensor is to switch from signal valid to signal invalid through the monitoring of the<br />
signal validity values (3.9995 mA and 20.007 mA). In this condition, the signal monitoring checks <strong>for</strong> the invalid<br />
areas (case 1 and case 4):<br />
Case 1: if the loop is opened, the system will receive 0mA.<br />
Case 2 and 3: if the transmitter is online and OK, the system will receive a value between 4 and 20mA.<br />
Case 4: if the transmitter is in short circuit, the system will receive over 20mA.<br />
Surveillance of invalid areas facilitates automatic switching to a safe state.<br />
5.1.3.5 Conclusion<br />
Fail-safe principles must be taken into account during sensor and actuator <strong>design</strong> <strong>for</strong> Plant System.<br />
Wherever there is a choice, analogue signals should be used in preference to digital on/off states.<br />
The energized to trip concept should only be used if the de-energized to trip concept is not applicable, or if<br />
spurious actuation can cause damage to equipment and can be hazardous to personnel.<br />
Page 44 of 95
For energized-to-trip sensors, line health monitoring must be used.<br />
5.1.4 Sensors and actuators connection to Safety Modules<br />
In standard availability architecture, redundant sensors and actuators can be connected to different safety modules<br />
on the same remote I/O station. If the amount of I/O requires additional peripheral racks, then the redundant I/O<br />
must be connected to different racks.<br />
In high availability architecture, redundant sensors and actuators must be connected to different remote I/O<br />
stations. In case of 2oo4 voting, the redundant components can be distributed over 3 racks.<br />
5.2 Sharing of sensor or actuator between Occupational Safety,<br />
Conventional Control and Investment Protection Systems<br />
5.2.1 Sharing of Sensor<br />
If a sensor has to be shared between Occupational Safety System and Interlock System or between Occupational<br />
Safety System and Conventional control System, the preferred solution is to duplicate it (together with its<br />
redundancy) and to totally separate the systems, linking one to the <strong>PSS</strong>-<strong>OS</strong> and the other to the PIS or the PSCC.<br />
If the sensor cannot be duplicated, specific solutions should be studied case by case.<br />
5.2.2 Sharing of actuator<br />
If an actuator has to be shared between Occupational Safety System and Interlock System or between<br />
Occupational Safety System and Conventional control System, the preferred solution is to duplicate it (together<br />
with its redundancy) and to totally separate the systems, linking one to the <strong>PSS</strong>-<strong>OS</strong> and the other to the PIS or the<br />
PSCC.<br />
When the actuator cannot be duplicated two solutions are proposed:<br />
<br />
Solution 1: As <strong>PSS</strong>-<strong>OS</strong> is the most critical system, it takes control of the actuator, sharing its commands<br />
via the CSS-<strong>OS</strong> / CODAC interface (non-secured) or the CSS-<strong>OS</strong> / CIS interface (secured). The<br />
command priority of the actuator is managed in the most critical system (<strong>PSS</strong>-<strong>OS</strong>). The priority<br />
management is based on relay technology in the actuator power cubicle.<br />
<br />
Solution 2: The actuator is shared but the command is per<strong>for</strong>med separately by each system. The actuator<br />
respects the fail-safe principle, any system commanding the actuator in safe position has priority.<br />
Example: A valve can be finely regulated by conventional control but can also be reliably set in two<br />
single states (open-closed) by the safety system (the regulation loop controlled by the conventional<br />
system is opened by a safety relay controlled by the safety system: when the loop is opened, the valve<br />
goes to a safe position).<br />
Page 45 of 95
6 Networks<br />
6.1 Connection between <strong>PSS</strong>-<strong>OS</strong> and CSS-<strong>OS</strong><br />
The <strong>PSS</strong>-<strong>OS</strong> is linked to CSS-<strong>OS</strong> through the CSN-<strong>OS</strong> Network.<br />
The <strong>PSS</strong>-<strong>OS</strong> will be connected to both the Main and Backup CSN-<strong>OS</strong> Networks through the closest CSN-<strong>OS</strong><br />
Network Panel hosting CSN-<strong>OS</strong>. The link between <strong>PSS</strong>-<strong>OS</strong> Network Cubicle and CSS-<strong>OS</strong> Network Panel should<br />
use fibre-optic cables as follows: two optical strands <strong>for</strong> CSN-<strong>OS</strong> Main Network and two optical strands <strong>for</strong> CSN-<br />
<strong>OS</strong> Backup Network.<br />
The CSN-<strong>OS</strong> Network Panel, commonly called Safety Network Panel (SNP), is a passive wall-mounted patch<br />
panel which is the physical termination point <strong>for</strong> the CSN-<strong>OS</strong> Network. The CSN-<strong>OS</strong> Network Panels are<br />
installed at strategic locations close to the plant system I&C cubicles concerned by <strong>OS</strong>.<br />
A typical network panel layout is shown on the Figure below.<br />
Figure 6.1: PBS48.<strong>OS</strong> Network Panel<br />
The <strong>PSS</strong>-<strong>OS</strong> owner (RO) is in charge of connecting the <strong>PSS</strong>-<strong>OS</strong> Network to the CSN-<strong>OS</strong> Network, as described in<br />
the Interface Sheets between PBS.48 and the PBS of the <strong>PSS</strong>.<br />
The CSN-<strong>OS</strong> Network is based on two protocols which ensure communication:<br />
<br />
<br />
To connect <strong>PSS</strong>-<strong>OS</strong> Safety PLCs to the CSS-<strong>OS</strong> Safety PLC – SIMATIC S7 connection on Industrial<br />
Ethernet support,<br />
To connect <strong>PSS</strong>-<strong>OS</strong> PLCs (conventional and safety) to the CSS-<strong>OS</strong> SCADA – Open IE on Industrial<br />
Ethernet.<br />
Page 46 of 95
Figure 6.2: <strong>PSS</strong>-<strong>OS</strong> scope<br />
Note 1: Refer to chapter 7 – Hardware about <strong>OS</strong> network components requirements.<br />
Note 2: Due to high magnetic fields and radiation levels, no safety I&C Logic control cubicles will be installed<br />
inside the Tokamak Building (B11).<br />
Refer to [RD6], the ITER_Policy_on_EEE_in_Tokamak_complex_ITER_D_6ZX6S3 and [RD7],<br />
Guidance_<strong>for</strong>_EEE_in_Tokamak_Complex_ITER_D_7NPFMA documents <strong>for</strong> more details.<br />
6.2 Connection between <strong>PSS</strong>-<strong>OS</strong> and the I/O modules<br />
The connection between the <strong>PSS</strong>-<strong>OS</strong> and its remote periphery is part of the PSN-<strong>OS</strong>.<br />
The SIMATIC fail-safe signal modules will be operated in the SIMATIC ET200M distributed I/O system. Safety<br />
communication between the safety program in the F-CPU and the fail-safe I/O modules takes place via the<br />
standard ProfiBus DP with ProfiSafe safety profile.<br />
Page 47 of 95
PBS.X Cubicle<br />
MAIN SWITCH<br />
BACK-UP SWITCH<br />
RJ45<br />
RJ45<br />
<strong>PSS</strong>-<strong>OS</strong><br />
Rack 0<br />
PSa PSb CPU C<br />
P<br />
a<br />
C<br />
P<br />
b<br />
Sensor a<br />
Bus 0 Profinet<br />
Bus 1 Profinet<br />
Bus 0 Profibus<br />
DP<br />
Sensor b<br />
Actuator a<br />
Actuator b<br />
DP<br />
<strong>PSS</strong>-<strong>OS</strong> Periphery<br />
Rack 1<br />
IM0a DIa DIb DOa DOb AI<br />
AI<br />
Figure 6.3: Connection between <strong>PSS</strong>-<strong>OS</strong> and an I/O<br />
In the case of architecture with high availability, the ProfiBus network must be redundant: each redundant CPU is<br />
connected to all the peripheral racks using two interface modules per rack as shown on the figure below:<br />
Page 48 of 95
PBS.X Cubicle<br />
MAIN SWITCH<br />
BACK-UP SWITCH<br />
RJ45<br />
RJ45<br />
<strong>PSS</strong>-<strong>OS</strong><br />
Rack 0<br />
PS0a PS0b CPU<br />
0<br />
C<br />
P<br />
0<br />
<strong>PSS</strong>-<strong>OS</strong><br />
Rack 1<br />
PS1a PS1b CPU<br />
1<br />
C<br />
P<br />
1<br />
Sync<br />
10m<br />
Sync<br />
10m<br />
DP<br />
FO (2m)<br />
FO (2m)<br />
Sync<br />
10m<br />
Sync<br />
10m<br />
DP<br />
Bus 0 Profibus<br />
Bus 1 Profibus<br />
Bus 0 Profinet<br />
Bus 1 Profinet<br />
Sensor a<br />
Actuator a<br />
<strong>PSS</strong>-<strong>OS</strong> Periphery<br />
Rack 2<br />
DP<br />
DP<br />
IM0a IM1a DIa DI DOa DO DO DO AI<br />
Sensor b<br />
Actuator b<br />
DP<br />
DP<br />
<strong>PSS</strong>-<strong>OS</strong> Periphery<br />
Rack 3<br />
IM0b IM1b DIb<br />
DI DOb DO DO DO AI<br />
Sensor c<br />
Actuator c<br />
DP<br />
DP<br />
IM0c IM1c DIc<br />
DI DOc DO AI<br />
<strong>PSS</strong>-<strong>OS</strong> Periphery<br />
Rack 4<br />
Figure 6.4: Connection between <strong>PSS</strong>-<strong>OS</strong> and Multiples I/O<br />
In the case of a long distance <strong>for</strong> the ProfiBus I/O bus, it is possible to use optical link modules.<br />
6.3 Connection between different <strong>PSS</strong>-<strong>OS</strong> in the same plant system<br />
Some specific cases may require a direct interconnection between different <strong>PSS</strong>-<strong>OS</strong> in the same plant system<br />
without contribution from the CSS-<strong>OS</strong>. This has to be considered as a deviation from the principles and the ITER<br />
Organization has to approve it. This interconnection is a part of the PSN-<strong>OS</strong>.<br />
The number of <strong>PSS</strong>-<strong>OS</strong> inside the same plant system should be kept as low as possible and it can only increase<br />
when justified, <strong>for</strong> example by geographical or operational reasons.<br />
Page 49 of 95
The connection from <strong>PSS</strong>-<strong>OS</strong> to the <strong>PSS</strong>-<strong>OS</strong> connected to the CSS-<strong>OS</strong>, inside the same plant system, is dedicated<br />
<strong>for</strong> the exchange of critical safety data.<br />
The link between several <strong>PSS</strong>-<strong>OS</strong> in the same plant can be hardwired or computerized and can also be single or<br />
redundant to satisfy availability requirements. In the case of SIL-3 functions, this connection should be redundant.<br />
An example of connection between different <strong>PSS</strong>-<strong>OS</strong> in the same plant system is shown in section 4.3 Specific<br />
<strong>PSS</strong>-<strong>OS</strong> inter-exchanges.<br />
6.4 Connection between different <strong>PSS</strong>-<strong>OS</strong> in different plant systems<br />
The direct connection between plant safety systems <strong>for</strong> occupational safety belonging to different plant systems is,<br />
in principle, not allowed. This has to be considered as a deviation from the principles and the ITER Organization<br />
has to approve it. These exceptions can be made <strong>for</strong> per<strong>for</strong>mance or integrity reasons.<br />
An example of connection between different <strong>PSS</strong>-<strong>OS</strong> in different plant systems is shown in section 4.3 Specific<br />
<strong>PSS</strong>-<strong>OS</strong> inter-exchanges.<br />
Page 50 of 95
7 Hardware<br />
This chapter presents:<br />
<br />
<br />
A description of the hardware involved in the architectures described in chapter 4 – <strong>PSS</strong>-<strong>OS</strong><br />
Architectures and chapter 6 - Networks.<br />
The technical requirements applicable to these hardware components.<br />
The logic components used in the <strong>PSS</strong>-<strong>OS</strong> architectures must come from the [RD13], ITER Catalogue <strong>for</strong> I&C<br />
Products – Siemens S7 PLC catalogue [ITER_D_333J63].<br />
7.1 <strong>PSS</strong>-<strong>OS</strong> PLC<br />
Two fail-safe systems are available <strong>for</strong> integrating safety engineering into SIMATIC S7 automation systems:<br />
<br />
<br />
The S7 Distributed safety System,<br />
The S7 F/FH System.<br />
Each system has specific hardware components and software tools associated with it. The main characteristics of<br />
the components selected <strong>for</strong> occupational safety needs are described below.<br />
Refer to section 8.1 – SIEMENS tools <strong>for</strong> more details about the associated software tools.<br />
S7-300F-2PN/DP CPU<br />
Derived from the S7 Distributed Safety System,<br />
Failsafe automation system <strong>for</strong> plants with increased safety requirements,<br />
Complies with safety requirements to SIL3 in accordance with IEC 61508,<br />
Based on S7-300,<br />
ET200M distributed I/O stations with safety-related modules can be connected,<br />
Communication to EPICS SCADA front-ends via Industrial Ethernet 100 Mbits/s,<br />
Safety-related communication to remote I/O station via ProfiBus DP with ProfiSafe profile.<br />
S7-400-5H CPU<br />
Derived from the S7 F/FH System,<br />
Failsafe automation system <strong>for</strong> plants with increased safety requirements,<br />
Complies with safety requirements to SIL3 in accordance with IEC 61508,<br />
Fault tolerant through redundant <strong>design</strong>,<br />
ET200M distributed I/O stations with safety-related modules can be connected.<br />
Communication to EPICS SCADA front-ends via Industrial Ethernet 100 Mbits/s,<br />
Safety-relevant communication to remote I/O station via ProfiBus DP with ProfiSafe profile.<br />
If the Plant System requires a standard availability architecture, S7-300F-2PN/DP CPU with distributed<br />
safety software should be used.<br />
If the Plant System requires a specific standard availability architecture or a high availability architecture,<br />
S7-400-5H CPU with F-system software should be used.<br />
If the Plant System monitors/controls more than 200 inputs/outputs, S7-400-5H CPU with F-system can be<br />
used.<br />
Page 51 of 95
S7 ET200M remote I/O<br />
Complies with safety requirements to SIL3 in accordance with IEC 61508,<br />
Safety-relevant communication to CPU via Redundant ProfiBus DP with ProfiSafe profile,<br />
Safety modules compatibility,<br />
Standard modules compatibility <strong>for</strong> non-safety-related applications.<br />
S7 Safety Modules<br />
Compared to the standard modules of the S7-300 module family, the fail-safe signal modules differ in terms of<br />
their internal dual-channel structure. The two integrated processors monitor each other, automatically test the I/O<br />
circuits and <strong>for</strong>ce the fail-safe signal module into safe state when a fault/error has been detected. The F-CPU<br />
communicates with the fail-safe signal module by means of the safety-oriented ProfiSafe bus profile.<br />
Complies with safety requirements to SIL3 in accordance with IEC 61508,<br />
Support applications <strong>for</strong> S7-300 system (centrally in S7-300 station and distributed in ET200M<br />
station) and <strong>for</strong> S7-400 system (distributed in ET200M station),<br />
Digital Input module,<br />
Analogue Input module,<br />
Digital Output module.<br />
Refer to [RD13], the ITER Catalogue <strong>for</strong> I&C products – Slow Controllers [ITER_D_333J63] <strong>for</strong> more details<br />
about these components and about complementary components like the power and communication modules.<br />
Refer to appendix 1 <strong>for</strong> complete and detailed lists of hardware component <strong>for</strong> each architecture proposed in<br />
chapter 4 – <strong>PSS</strong>-<strong>OS</strong> architectures.<br />
7.2 <strong>PSS</strong>-<strong>OS</strong> cubicles<br />
I&C Cubicles are standardized and specified in:<br />
- [RD12], ITER catalogue <strong>for</strong> I&C products – Cubicles [ITER_D_35LXVZ],<br />
- [RD14], <strong>Guidelines</strong> <strong>for</strong> I&C Cubicle Configurations [ITER_D_476HUG],<br />
- [RD2], Plant Control Design Handbook [ITER_D_27LH2V].<br />
The components belonging to the <strong>PSS</strong>-<strong>OS</strong> are hosted in dedicated <strong>PSS</strong>-<strong>OS</strong> cubicles which must not be shared with<br />
conventional control or plant interlock systems.<br />
All electrical components (power supplies, circuit breakers…) have to be fully accessible and easily removable in<br />
order to be replaced even if the cubicle is still powered (use of DIN rail is preferred).<br />
For maintenance purposes, cubicles should be installed as far as possible from the sources of disturbances of<br />
Building 11 and in areas which are accessible during plasma operation.<br />
7.2.1 Cubicle Monitoring<br />
The standard I&C cubicle <strong>for</strong> ITER includes a monitoring system. Its final hardware configuration will depend on<br />
the specific cubicle <strong>for</strong>m factor. This system will be provided by the <strong>PSS</strong>-<strong>OS</strong>.<br />
The <strong>PSS</strong>-<strong>OS</strong> cubicle configuration must comply with the <strong>design</strong> specifications <strong>for</strong> hardware integration of the<br />
monitoring system in I&C cubicle specified in [RD17], the I&C cubicle internal configuration<br />
[ITER_D_4H5DW6].<br />
Occupational Safety particular <strong>design</strong> point:<br />
Each <strong>PSS</strong>-<strong>OS</strong> cubicle monitoring system should be connected to the CSS-<strong>OS</strong> via the CSN-<strong>OS</strong> as opposed to the<br />
PON network of the CODAC system.<br />
Page 52 of 95
7.3 <strong>PSS</strong>-<strong>OS</strong> Switch<br />
The connection between the <strong>PSS</strong>-<strong>OS</strong> and the CSN-<strong>OS</strong> is made through the <strong>PSS</strong>-<strong>OS</strong> switch to the closest Safety<br />
Network Panel (SNP).<br />
The plant system must provide the redundant fibre-optic connection up to the SNP (two optical strands singlemode<br />
<strong>for</strong> CSN-<strong>OS</strong> Main Network and two optical strands single-mode <strong>for</strong> CSN-<strong>OS</strong> Backup Network). These<br />
connections will include spare strands <strong>for</strong> maintenance or future growth of the system.<br />
The <strong>PSS</strong>-<strong>OS</strong> owner (RO) is in charge of connecting the <strong>PSS</strong>-<strong>OS</strong> to the CSN-<strong>OS</strong> Networks, as described in the<br />
Interface sheets between PBS.48 and the PBS of the <strong>PSS</strong>-<strong>OS</strong>.<br />
7.3.1 Conceptual principles<br />
The CSN-<strong>OS</strong> networks are a single-mode fibre-optic interface and are capable of transmit all <strong>PSS</strong>-<strong>OS</strong> in<strong>for</strong>mation,<br />
such as safety communication and monitoring data under the Ethernet communication protocol.<br />
It will also be in charge of converting data from the fibre-optic interface to the copper hardware interface.<br />
Inside each cubicle, two switches are dedicated to one CSN network (one switch per CSN) to manage several<br />
functionalities, like safety communication management, diagnostics…<br />
Figure 7.1: Power supply redundancy principle<br />
7.3.2 Switch Specifications<br />
The characteristics required are:<br />
- Managed switch,<br />
- One Single-mode fibre-optic interface port,<br />
- A minimum of 3 RJ45 interface ports,<br />
- 24Vcc power supply redundancy management,<br />
- Security management (filtering by IP and MAC),<br />
- SNMP management,<br />
- Ethernet profile.<br />
The network equipment must be chosen from the ITER Catalogue of I&C products <strong>for</strong> Networks products.<br />
Page 53 of 95
7.4 <strong>PSS</strong>-<strong>OS</strong> signal cabling<br />
When signal redundancy is required, the redundant cables should be kept as separate as possible but they may be<br />
routed through the same cable tray.<br />
7.4.1 PSN-<strong>OS</strong> Network<br />
The connection between the <strong>PSS</strong>-<strong>OS</strong> and its remote periphery is part of the PSN-<strong>OS</strong>.<br />
In the case of a long distance <strong>for</strong> the ProfiBus I/O bus, it is possible to use optical link modules.<br />
The communication cables may be routed together with the conventional control cables.<br />
7.4.2 Sensor / actuator<br />
It is recommended that sensor / actuators signals are connected to the SIMATIC I/O modules through terminal<br />
blocks. It is advisable to install an external protective circuit in order to provide sufficient surge strength to an<br />
ET200M with fail-safe signal modules. It is recommended that the Marshalling Terminal Assembly referenced in<br />
the Catalogue <strong>for</strong> I&C products – Slow controllers is used. It is possible to use ABB/ENTRELEC or PHOENIX<br />
CONTACT equipment as recommended in the <strong>Guidelines</strong> <strong>for</strong> I&C cubicles configuration if these equipment are<br />
certified IEC 61508 and enable the reliability requirements to be fulfilled.<br />
The cables should be selected from the [RD19], the IO Cable Catalogue [ITER_D_355QX2].<br />
The <strong>PSS</strong>-<strong>OS</strong> signal cabling must be compliant with:<br />
[RD2], Plant Control Design Handbook [ITER_D_27LH2V],<br />
[RD17], I&C cubicle internal configuration [ITER_D_4H5DW6],<br />
[RD14], <strong>Guidelines</strong> <strong>for</strong> I&C Cubicle Configurations [ITER_D_476HUG].<br />
7.5 <strong>PSS</strong>-<strong>OS</strong> powering<br />
7.5.1 Conceptual principles<br />
The powering of <strong>PSS</strong>-<strong>OS</strong> cubicles must be compliant with the Electrical Design Handbook, in particular, Guide A:<br />
Electrical Installations <strong>for</strong> SSEN Systems [ITER_D_2EB9VT].<br />
The following rules apply:<br />
- All <strong>PSS</strong>-<strong>OS</strong> cubicles and components must be redundantly powered,<br />
- The redundant powering cables must be kept as separate as possible although sharing of the same cable<br />
tray is permitted,<br />
- The mounting rail must be bonded to ground,<br />
- Circuit breakers must at least permit the independent power on/off of each train, each architecture and its<br />
periphery independently.<br />
- The power supplies should be monitored so that a failure of one power supply can be reported and<br />
repaired so that the system will not stay too long without redundancy.<br />
The <strong>PSS</strong>-<strong>OS</strong> cubicles are powered by two independent sources:<br />
Class II-IP power supply: an uninterruptible with backup by battery set of 1 hour autonomy and by a<br />
diesel generator available <strong>for</strong> 24 hours,<br />
Class IV-OL power supply: an alternative power supply in the event of class II-IP inverter failure or<br />
fault in the class II-IP power feeder.<br />
Page 54 of 95
The 24Vdc will be generated locally by redundant power supply modules using the Class II-IP or Class IV-OL<br />
sources. It is recommended that the power supplies <strong>for</strong> the digital I/O and the analogue inputs are separated.<br />
If <strong>PSS</strong>-<strong>OS</strong> equipment needs additional voltages, they should be obtained by trans<strong>for</strong>ming the existing voltages<br />
using appropriate components, which will be compliant with the SIL requirements of the function. This additional<br />
powering must be redundant.<br />
7.5.2 CPU racks<br />
Two families of SIMATIC CPU are used <strong>for</strong> the <strong>PSS</strong>-<strong>OS</strong> architectures and there<strong>for</strong>e there are two types of<br />
SIMATIC rack: the S7-300 rack and the S7-400 rack. Only the second one can be equipped with redundant power<br />
supplies. The solution <strong>for</strong> the S7-300 rack is to use two external non-redundant power supplies and one add-on<br />
module. Using diodes, the add-on module disconnects two parallel basic power devices. Failure of a single power<br />
supply no longer compromises the safe and uninterrupted supply of 24 volt power.<br />
Figure 7.2: CPU 300F Power supply redundancy principle<br />
Each S7-400 rack must be powered by two redundant power supply modules. The first power supply module<br />
should be powered by a class II-IP power supply and the second one by a class IV-OL power supply. Each power<br />
supply module must have two backup batteries in its battery compartment as shown on the schema below:<br />
Page 55 of 95
Figure 7.3: CPU 400H Power supply redundancy principle<br />
In the case of a redundant architecture of CPUs (high availability architecture), the same principle as above will<br />
apply: each CPU rack must be powered by two redundant power supply modules powered by two independent<br />
sources: Class IV OL and class II IP. Each power supply module must also have two sets of backup batteries in its<br />
battery compartment. The principle is shown on the figure below:<br />
Figure 7.4: Redundant CPU 400H Power supply redundancy principle<br />
The power supply equipment must be chosen from the [RD13], ITER Catalogue <strong>for</strong> I&C products – Slow<br />
Controller [ITER_D_333J63].<br />
Page 56 of 95
7.5.3 Peripheral racks<br />
Like <strong>for</strong> the S7-300 rack, there is no dedicated redundant power module available <strong>for</strong> the SIMATIC remote I/O<br />
selected <strong>for</strong> the <strong>PSS</strong>-<strong>OS</strong> need (S7 ET200M). This is why the solution is identical to that <strong>for</strong> the S7-300 rack, using<br />
two external non-redundant power supplies and one add-on module (refer to section 7.5.2 <strong>for</strong> more details).<br />
PS II-IP<br />
PS IV-OL<br />
Figure 7.5: Add-on module principle<br />
The figure below describes the powering concept <strong>for</strong> a peripheral rack:<br />
DP<br />
IM DI DI DO DO AI AI<br />
PSa PSb Redundancy<br />
Class II-IP - 230Vac<br />
Redundant PS – 24Vdc<br />
Class IV - 230Vac<br />
Figure 7.6: Remote I/O Power supply redundancy principle<br />
In the case of a redundant architecture with multiple peripheral racks the principle stays the same: each peripheral<br />
rack will be powered by two power supply modules: 230Vac powered by the independent Class IV OL and class<br />
II IP sources, and one redundant module.<br />
The figure below describes the powering concept <strong>for</strong> multiple peripheral racks:<br />
Page 57 of 95
DP<br />
DP<br />
IM0a<br />
IM1a DI DI DO DO AI AI<br />
PSa<br />
PSb<br />
Redundancy<br />
1<br />
Class II-IP - 230Vac<br />
Class IV - 230Vac<br />
Redundant PS – 24Vdc<br />
DP<br />
DP<br />
IM0b<br />
IM1b DI DI DO DO AI AI<br />
Redundancy<br />
2<br />
Redundant PS – 24Vdc<br />
Figure 7.7: Remote I/Os Power supply redundancy principle<br />
Note: It is recommended that the power supplies <strong>for</strong> the digital I/O and the analogue inputs are separated.<br />
7.5.4 Network products<br />
Each network product (switches, electronic devices…) involved in PSN-<strong>OS</strong> or in CSN-<strong>OS</strong> should be powered by<br />
both of the independent sources, Class IV OL and Class II IP, as shown on the figure below:<br />
Figure 7.8: Switches Power supply redundancy principle<br />
7.5.5 Cubicle Power distribution<br />
Refer to the [RD14], <strong>Guidelines</strong> <strong>for</strong> I&C Cubicle Configuration [ITER_D_476HUG] <strong>for</strong> the <strong>PSS</strong>-<strong>OS</strong> application.<br />
Page 58 of 95
8 Software tools and requirements<br />
This chapter presents all the software to be used by the <strong>PSS</strong>-<strong>OS</strong> and the requirements associated with the <strong>OS</strong><br />
environment.<br />
The PLC software, in the <strong>for</strong>m of the SIEMENS tools is necessary to configure, develop and manage the<br />
occupational safety programmable logic controller (PLC) environment.<br />
The HMI software, in the <strong>for</strong>m of the CODAC tools is used to develop and manage the occupational safety<br />
SCADA environment.<br />
8.1 SIEMENS tools<br />
The two fail-safe systems available in SIMATIC S7 automation systems (S7 Distributed Safety and S7 F/FH)<br />
should be evaluated according to the hardware architecture developed and the relevant availability level.<br />
The list of SIEMENS tools to be considered is:<br />
- SIMATIC STEP7 professional software,<br />
- SIMATIC STEP7 Optional package S7 Distributed Safety, which is only used to engineer the hardware<br />
and configure the occupational safety functions <strong>for</strong> architectures requiring standard availability. <strong>OS</strong><br />
functions are configured in F-LAD or F-FBD languages,<br />
- SIMATIC STEP7 Optional package S7 F Systems, which is used to engineer the hardware and configure<br />
the occupational safety functions <strong>for</strong> certain architectures requiring standard availability and<br />
architectures which require high availability. It expands the S7-400H controller <strong>for</strong> <strong>OS</strong> functions by<br />
providing pre-configured blocks, certified by the German Technical Inspectorate (TÜV) according to SIL<br />
3 IEC 61508. <strong>OS</strong> functions are configured in Continuous Function Charts (CFC) with certified function<br />
blocks.<br />
8.2 CODAC tools<br />
The CSS-<strong>OS</strong> SCADA will be a dedicated SCADA using the CODAC Core System technology and associated<br />
configuration tools. It will provide the following set of central services:<br />
<br />
<br />
<br />
<br />
<br />
Operator interface engine,<br />
Alarms service,<br />
Data archiving service,<br />
Error and trace logging service,<br />
I&C configuration database.<br />
The CODAC Core System is a software package distributed by the IO CODAC Section <strong>for</strong> the development of the<br />
plant system I&C. It provides the plant system I&C developers with the environment required to develop and test<br />
the software in a way that complies with the ITER requirements.<br />
This software package includes:<br />
<br />
<br />
<br />
Self-Description Data Toolkit (database tool),<br />
Control System Studio (HMI, alarm and archiving tool),<br />
PLC and Fast Controllers support (interface tool).<br />
Note 1: The description of elements below is mainly <strong>for</strong> in<strong>for</strong>mation, refer to [RD22], the CODAC Core System<br />
Overview [ITER_D_34SDZ5] <strong>for</strong> more details.<br />
Note 2: Delivery of the <strong>PSS</strong>-<strong>OS</strong> may require delivering CODAC configuration files, to be used on the mini CSS-<br />
<strong>OS</strong> <strong>for</strong> the first levels of testing.<br />
Page 59 of 95
8.2.1 Self-description Data Toolkit (SDD)<br />
The Core System includes a tool developed in-house – the Self-Describing Data (SDD) Toolkit – which allows the<br />
plant system I&C <strong>design</strong>ers to define their plant system PVs, along with their settings and in<strong>for</strong>mation about the<br />
configuration of these PVs. SDD supports configuration of all of CODAC Core, its applications, its operator<br />
displays and its interfaces in a self-consistent way. In particular, it is the tool <strong>for</strong> the configuration of plant system<br />
I&Cs.<br />
8.2.2 Control System Studio<br />
8.2.2.1 Operator Interface (BOY)<br />
BOY is a component of the Control System Studio toolkit. The BOY runtime environment connects to the control<br />
system, displays the operator interface (OPI), animates graphical widgets according to EPICS PV value, alarm<br />
status/severity and connection status, shows PV’s range and the definition of alarm limits and allows the operator<br />
to interact with the process by providing input data.<br />
This tool is required <strong>for</strong> the operator interface related to the <strong>OS</strong> I&C functions.<br />
8.2.2.2 Alarm Interface (BEAST)<br />
BEAST is a component of the Control System Studio toolkit. The BEAST distributed alarm system consists of:<br />
An alarm server that monitors alarm triggers in the control system and notifies appropriate stakeholders,<br />
The graphical user interface <strong>for</strong> viewing current alarms as a table or hierarchical tree, showing<br />
guidance, executing commands, opening dedicated displays and acknowledging raised alarms,<br />
A relational database <strong>for</strong> configuration and logging,<br />
Web reports to analyse the number and frequency of alarms.<br />
Configuration files are required <strong>for</strong> alarms related to the <strong>OS</strong> I&C functions.<br />
8.2.2.3 Engineering Archives (BEAUTY)<br />
BEAUTY is a component of the Control System Studio toolkit. The BEAUTY distributed archive system consists<br />
of:<br />
An archive engine that monitors EPICS PVs to be archived in the control system,<br />
The graphical user interface <strong>for</strong> displaying live and historic data in a plot, making some computations,<br />
adding annotations to the plot and exporting samples to different file <strong>for</strong>mats such as Excel spread<br />
sheets or Matlab,<br />
A relational database <strong>for</strong> configuration and archiving of the samples.<br />
Configuration files are required <strong>for</strong> archiving associated with the <strong>OS</strong> I&C functions.<br />
Page 60 of 95
9 Software Interfaces and Functional Requirements<br />
In order to develop a homogeneous and efficient overall <strong>OS</strong> I&C system, it has been decided to standardize the<br />
control and monitoring parameters of the <strong>OS</strong> I&C functions, and the interface between the <strong>PSS</strong>-<strong>OS</strong> and the CSS-<br />
<strong>OS</strong>. This standardization will be highly beneficial from the Human Factors point of view and <strong>for</strong> the integration of<br />
the system.<br />
SCS-<strong>OS</strong> <strong>design</strong> had to take this into consideration and facilitate the integration of new <strong>OS</strong> I&C functions into the<br />
system as far as possible and at the same time, maintain the certification of the complete system. This means:<br />
• Minimizing the configuration errors related to new functions,<br />
• Reducing the impact of new functions on the previously installed certified functions,<br />
• Minimizing the non-regression tests required after the integration of new functions.<br />
To realize this objective, IO has standardized the <strong>OS</strong> functions concepts (states and status functions, monitored<br />
in<strong>for</strong>mation, reset, override, messaging…) and the standard interface between an <strong>OS</strong> I&C function and the CSS-<br />
<strong>OS</strong>. It especially applies to the local <strong>OS</strong> functions. Most occupational safety functions should be functions which<br />
only need the CSS-<strong>OS</strong> <strong>for</strong> supervisory features and no safety processes. Moreover, occupational safety functions<br />
are similar enough to enable the standardization of the interface between the <strong>PSS</strong>-<strong>OS</strong> and the CSS-<strong>OS</strong>.<br />
When an <strong>OS</strong> I&C function can be standardized in this way, it is called a “Standard <strong>OS</strong> I&C function”. The main<br />
associated in<strong>for</strong>mation and controls of the function are:<br />
• Inputs,<br />
• Outputs,<br />
• State of the function,<br />
• Override status,<br />
• Maintenance status,<br />
• Reset command,<br />
• Override commands.<br />
Only a very few occupational safety functions should require a highly reliable and available HMI or require the<br />
coordination of different plant systems. For central functions, functions that require display of in<strong>for</strong>mation on the<br />
reliable hardwired HMI, or functions that would not adapt to the predefined standards, a more flexible<br />
configuration can be considered, but it should be the exception. In this case, the interface between the <strong>PSS</strong>-<strong>OS</strong> and<br />
the CSS-<strong>OS</strong> will be tailored to the specific needs and will be defined directly between the <strong>PSS</strong>-<strong>OS</strong> <strong>design</strong>ers and<br />
the CSS-<strong>OS</strong>. However, all the concepts from standard functions that would be still applicable should be used:<br />
The interface which manages the link between a <strong>PSS</strong>-<strong>OS</strong> safety PLC and the CSS-<strong>OS</strong> SCADA (CODAC Core<br />
System technology) is detailed in section 9.1. This section defines the concepts applicable to all the <strong>OS</strong> I&C<br />
functions, and then those specifically related to Standard <strong>OS</strong> I&C function. It is an EPICS interface.<br />
The second interface which manages the link between the <strong>PSS</strong>-<strong>OS</strong> and CSS-<strong>OS</strong> safety PLCs (when relevant <strong>for</strong> a<br />
specific <strong>OS</strong> I&C function) is introduced in section 9.2. It is a SIMATIC Safety PLC interface.<br />
The last interface which manages the link about <strong>OS</strong> Hardware Monitoring between the <strong>PSS</strong>-<strong>OS</strong> and the CSS-<strong>OS</strong><br />
SCADA is introduced in section 9.3. It is also an EPICS interface.<br />
9.1 <strong>OS</strong> Functional Monitoring Interface<br />
It is necessary to predefine some standards to manage most of the monitoring interfaces between <strong>PSS</strong>-<strong>OS</strong> safety<br />
PLC and the CSS-<strong>OS</strong> SCADA. The most frequent <strong>PSS</strong>-<strong>OS</strong> needs will be the local functions and emergency button<br />
monitoring. As far as possible, these standard interfaces should be implemented in each <strong>PSS</strong>-<strong>OS</strong> involved in an<br />
occupational safety function.<br />
Page 61 of 95
In this way, IO has standardized firstly the common <strong>OS</strong> functional concepts (states and status functions, monitored<br />
in<strong>for</strong>mation, reset, override…) and secondly two <strong>OS</strong> standard EPICS interfaces.<br />
9.1.1 <strong>OS</strong> Common Concepts<br />
9.1.1.1 <strong>OS</strong> Function State and Status<br />
The safety logic between the inputs and the outputs will be specific to each <strong>OS</strong> I&C function, but the state of the<br />
function will always be synthesized by an overall status as defined below:<br />
<br />
<br />
<br />
Tripped state:<br />
The safety function is activated, associated safety actuators are maintained in the fail-safe position.<br />
Tripped condition: safety event or major failure that triggers the actuation of the safety function (fail safe<br />
<strong>design</strong>).<br />
Normal state:<br />
The safety function is not activated, associated safety actuators are activated in the normal position, there<br />
are no conditions related to the “degraded state”.<br />
Degraded state:<br />
The safety function is not activated, associated safety actuators are activated in the normal position, but a<br />
component of the safety function is unavailable (one sensor of a 2oo3 logic is tripped, degraded output<br />
configuration…).<br />
SEVERITY<br />
Normal<br />
A<br />
B<br />
Degraded<br />
D<br />
E<br />
C<br />
Tripped<br />
REFERENCE<br />
A<br />
B<br />
C<br />
D<br />
E<br />
FROM TO CONDITION<br />
normal degraded One of the component of the safety function becomes unavailable.<br />
degraded normal If all the components of the safety function become available<br />
degraded tripped If an event or a major failure occurs<br />
normal tripped If an event or a major failure occurs<br />
tripped normal If the operator resets AND the safety function is available<br />
Figure 9.2: Function States principle<br />
The function will also have two additional statuses associated that will be controlled by the operator from the<br />
CSS-<strong>OS</strong>:<br />
<br />
Override status,<br />
Page 62 of 95
Maintenance status.<br />
The override status will be set as soon as at least one input or output of the function is overridden. The overrides<br />
are used to disable inputs or outputs from a safety related system <strong>for</strong> maintenance activities (prevention or repair),<br />
to avoid trips caused by spurious signals or logic tests.<br />
An override can equally be applied to the inputs or outputs of the function. This may also be described as an<br />
inhibit or a <strong>for</strong>cing command. Strictly speaking, an ‘inhibit’ prevents something happening whereas an ‘override’<br />
applies a <strong>for</strong>ced state, but these two words tend to be used interchangeably. In this document, override will be<br />
used.<br />
However, the status indications of inhibited inputs and outputs stay active to provide as much in<strong>for</strong>mation as<br />
possible to the operator.<br />
The maintenance status will be used by the operator to highlight a function that is under maintenance or during<br />
commissioning. This status is like a virtual flag set up by the operator on the control room’s displays as a reminder<br />
of this specific condition.<br />
This maintenance status however, has no influence on the behaviour of the safety functions, which are still<br />
computed.<br />
9.1.1.2 <strong>OS</strong> Function Reset<br />
Once triggered, the status of the safety function must be latched and the safety actuators must be activated to the<br />
safe position and remain there even if the safety event that triggered the function disappears.<br />
The reset command, usable from the CSS-<strong>OS</strong> SCADA, will allow all the latched safety actuators commands that<br />
were activated to the “Trip” state to be reset.<br />
The reset command will also reset all values latched during the triggering of the function (latched inputs value <strong>for</strong><br />
example).<br />
Important requirement: The safety logic of the function must be <strong>design</strong>ed so that the function’s reset command<br />
can only be effective if the inputs are in such a state that there is no safety event.<br />
9.1.1.3 Override<br />
By default, an override is not programmed. The override program has to be implemented as a safety program. An<br />
override should be programmed only if the function requires it.<br />
Inputs and outputs of the <strong>OS</strong> I&C function can only be overridden by maintenance operators from CSS-<strong>OS</strong><br />
maintenance terminals.<br />
This action is per<strong>for</strong>med through the function’s override controls.<br />
Note: A specific robust protocol guarantees that no override command can be accidentally set (human error and/or<br />
system failure). This protocol implemented <strong>for</strong> the data exchanges between PLC and <strong>OS</strong> SCADA ensures the<br />
quality of the commands.<br />
Caution: Override controls <strong>for</strong> an input or an output should only be implemented when demonstrated as necessary<br />
<strong>for</strong> the operation.<br />
9.1.1.4 Time stamping<br />
The <strong>PSS</strong>-<strong>OS</strong> PLC has to be synchronized with a unique time reference to provide correct logging of the sequence<br />
of events <strong>for</strong> fault analysis.<br />
Time synchronization of SCS-<strong>OS</strong> is done from an external clock.<br />
As S7 Siemens PLC accepts NTP synchronization, an NTP server is used <strong>for</strong> synchronizing all occupational safety<br />
SCS.<br />
Page 63 of 95
The goal of the time stamping function is to provide an accurate sequence of events in the archiving system <strong>for</strong><br />
accident/incident analysis and accurate timing when a function activation/bypass is delayed in another I&C<br />
system.<br />
The main aim of this function is that the communication time between PLC does not affect the timestamp of<br />
events. For this reason, event time stamping should be per<strong>for</strong>med as close as possible to the acquisition device.<br />
When an event happens in <strong>PSS</strong>-<strong>OS</strong>, the time stamping is done inside this <strong>PSS</strong>-<strong>OS</strong> PLC and this event is<br />
transmitted to CSS-<strong>OS</strong>, with this original timestamp in<strong>for</strong>mation.<br />
The time reference <strong>for</strong> timestamps is the “ITER time” (=UTC time).<br />
9.1.1.5 Alarm Management<br />
Design:<br />
The alarm <strong>design</strong> integrates the recommendations described in the [RD23], Philosophy of ITER Alarm System<br />
Management document [ITER_D_3WCD7T].<br />
Development tool:<br />
The software tool used to <strong>design</strong> the alarms is BEAST. It is a distributed alarm system consisting of alarm servers<br />
that monitor alarms from the EPICS IOC processes via channel access. It has a user interface <strong>for</strong> viewing the<br />
current alarms as well as acknowledging alarms and browsing the alarm history.<br />
An alarm is characterized by several specificities like:<br />
- Its family (Alarm, Default),<br />
- Its colour,<br />
- Its acknowledgement.<br />
Alarm behaviour:<br />
The following text is a description of a typical alarm’s behaviour:<br />
<br />
<br />
After a variable goes above its range, a related time-stamped alarm is set in the <strong>OS</strong>-supervision.<br />
This alarm is displayed in the alarm table until it has been acknowledged by an operator and whilst the<br />
fault is still present in the PLC. So, both conditions are required to reset the alarm.<br />
After an operator acknowledgement the alarm will change colour, but if the fault is still present the<br />
message will still remain.<br />
In that case, the disappearance of the fault is expected to automatically erase the alarm message.<br />
So the alarm variables in SDD should be configured to, “latch” and “annunciate” in order to:<br />
- Announce when a new alarm rises,<br />
- Enable the operator to acknowledge the alarm.<br />
Note: All alarms configured in the SDD should be also programmed in the PLC.<br />
9.1.1.6 Naming convention<br />
Refer to [RD2], Plant Control Design Handbook to the complete naming rules.<br />
9.1.2 Occupational Safety Standard<br />
9.1.2.1 <strong>OS</strong> Standard Function<br />
In order to cope with a large scope of future <strong>OS</strong> functions (most <strong>OS</strong> functions are likely to be local functions), an<br />
<strong>OS</strong> standard function was defined. Associated to this <strong>OS</strong> standard function, the whole interfaces with CSS-<strong>OS</strong><br />
SCADA have been fixed.<br />
Page 64 of 95
Refer to section 2.5.1 <strong>for</strong> more details about <strong>OS</strong> local functions.<br />
The main in<strong>for</strong>mation and controls associated with an <strong>OS</strong> function are:<br />
Inputs,<br />
Outputs,<br />
State of the function,<br />
Override status,<br />
Maintenance status,<br />
Reset command,<br />
Override commands.<br />
The maximum numbers of inputs and outputs of this <strong>OS</strong> standard I&C function are fixed. They have been<br />
<strong>design</strong>ed to accommodate the majority of needs. If a specific function needs only a subset of these inputs and<br />
outputs, then they will be “disabled” by setting them to a specific “disabled” value.<br />
The standard function has:<br />
<br />
<br />
Inputs:<br />
o Zero to a maximum of four digital inputs available, to address the different logic combination<br />
(from 1oo1 to 2oo4) or different process thresholds to monitor,<br />
o Zero to a maximum of three analogue inputs available, to address the different logic<br />
combination (from 1oo1 to 2oo3), or different process values to monitor.<br />
Outputs:<br />
o Maximum three digital outputs available to control up to 3 safety actuators.<br />
If a function needs more inputs or outputs, it will be implemented as a specific function (see section 9.1.2.3).<br />
9.1.2.1.1 Detailed representation<br />
To implement the above concepts, the interface between the <strong>PSS</strong>-<strong>OS</strong> Safety PLC and the CSS-<strong>OS</strong> SCADA can be<br />
represented as shown below:<br />
Page 65 of 95
INPUTS<br />
OUTPUTS<br />
CSS-<strong>OS</strong> terminal<br />
Archiving<br />
Operator action /<br />
command<br />
<strong>PSS</strong> logic treatment<br />
Supervision display<br />
/ monitoring<br />
CSS-<strong>OS</strong> terminal<br />
Archiving<br />
Alarming<br />
Standard function<br />
Reset command<br />
Maintenance Set<br />
Maintenance Reset<br />
31<br />
32<br />
33<br />
Function<br />
Function Ready to Reset<br />
Function State<br />
(Normal OR Degraded OR Tripped)<br />
Function overrided<br />
Function in maintenance mode<br />
38<br />
35<br />
37<br />
36<br />
Memorized state of each function input (x7) 34<br />
X 4 DI<br />
Digital input state<br />
Digital input invalidity<br />
Override Enable<br />
Override Disable<br />
15<br />
14<br />
17<br />
18<br />
X 3 AI<br />
Engineering value of the analog input 1<br />
4 x safety thresholds reached<br />
4 x safety thresholds value<br />
6<br />
2<br />
7<br />
3<br />
8<br />
4<br />
9<br />
5<br />
Analog input invalidity 11<br />
Override Enable<br />
12<br />
Override Disable<br />
13<br />
X 3 DO<br />
Digital output state<br />
Output invalidity<br />
Override Value<br />
Override Mode<br />
22<br />
19<br />
20<br />
21<br />
Override number<br />
24<br />
Override activation<br />
26<br />
Override Number<br />
Override Validation<br />
29<br />
30<br />
Override<br />
Override desactivation<br />
Override number + 10000<br />
27<br />
25<br />
Window override validity<br />
28<br />
Figure 9.3: <strong>OS</strong> Standard Function interface schema<br />
Inputs: The Left part of the figure lists the controls going from the CSS-<strong>OS</strong> terminal to the <strong>PSS</strong>-<strong>OS</strong> Safety PLC<br />
(red colour):<br />
<br />
<br />
The reset command,<br />
The override commands,<br />
Page 66 of 95
The maintenance commands.<br />
<strong>PSS</strong>-<strong>OS</strong> Safety PLC: The central part presents the <strong>PSS</strong>-<strong>OS</strong> Safety PLC, containing the:<br />
- Function data,<br />
- 4 Digital Inputs,<br />
- 3 Digital Outputs,<br />
- 3 Analog Inputs,<br />
- Override data.<br />
Outputs: The right part lists the exchanges between the <strong>PSS</strong>-<strong>OS</strong> Safety PLC and the CSS-<strong>OS</strong> SCADA System<br />
functions (monitoring, archiving and alarming) <strong>for</strong> each element of the standard function (black colour).<br />
Note: the numbers in green associated with each variable in the figure above, allow the link to be made with the<br />
details of each variable in appendix 2.<br />
9.1.2.1.2 SDD Translation<br />
The interface between the <strong>PSS</strong>-<strong>OS</strong> Safety PLC and the CSS-<strong>OS</strong> SCADA will be configured with the SDD tool<br />
(SDD editor software), defining all interface in<strong>for</strong>mation. Some of the in<strong>for</strong>mation will be specific to the function,<br />
while others are fixed by this standard.<br />
The specific in<strong>for</strong>mation should be completed by the <strong>PSS</strong>-<strong>OS</strong>.<br />
Refer to section 8.2.1 <strong>for</strong> more details about the SDD tool.<br />
The result is three tables which can be exported from the SDD compilation. They are:<br />
A) Variable table,<br />
B) Control unit table,<br />
C) I/O modules table.<br />
A) Variable table<br />
This standard function contains 90 variables. A sample of a typical variable list exported can be found in<br />
ITER_D_DTXZMB - <strong>OS</strong> Standard SDD Template.<br />
Refer to appendix 2 <strong>for</strong> more details about variable table of the <strong>OS</strong> standard function typical.<br />
B) Control units table<br />
This table contains the complementary data concerning the control units (PLC, CSS-<strong>OS</strong> Server PLC<br />
IOC).<br />
The <strong>PSS</strong>-<strong>OS</strong> <strong>design</strong>er will be responsible <strong>for</strong> filling the table such as the control unit name and also the<br />
other in<strong>for</strong>mation in the control units table.<br />
The in<strong>for</strong>mation required will be provided by IO.<br />
C) I/O modules table<br />
This table concerns the I/O modules and is specific to the <strong>PSS</strong>-<strong>OS</strong> application.<br />
9.1.2.2 <strong>OS</strong> Standard Emergency Button Monitoring<br />
Unlike the first standard which is a standard function, the Standard Emergency button monitoring is only an<br />
standard event. This case arises from the large number of emergency button events which have to be implemented<br />
by the <strong>PSS</strong>-<strong>OS</strong>.<br />
Refer to section 2.5.4 <strong>for</strong> more details about <strong>OS</strong> emergency buttons.<br />
This event takes into account two different cases which can be encountered by the <strong>PSS</strong>-<strong>OS</strong>:<br />
Page 67 of 95
- Low integrity emergency button monitoring: <strong>PSS</strong>-<strong>OS</strong> will in<strong>for</strong>m the CSS-<strong>OS</strong> terminal through the<br />
CSN about the emergency button and the display on the CSS-<strong>OS</strong> SCADA is sufficient from the safety<br />
point of view.<br />
- High integrity emergency button monitoring: In addition to what happens in the low integrity case, the<br />
detection of the button has to trigger a SIL 2 or SIL 3 safety action coordinated by the CSS-<strong>OS</strong>, or to be<br />
displayed on the safety critical display.<br />
Note: Plant system emergency stop devices or emergency switch off devices: Generally installed on the front<br />
doors to the system electrical boards or near electrical motors, these are specifically to stop the process when a<br />
problem is detected by an operator (e.g.: smoke or strange sound). The emergency stop devices or emergency<br />
switch off devices (under responsibility of the plant system concerned) will be only monitored by their<br />
conventional control and then reported to the CODAC system. In parallel, operators can actuate the nearest<br />
emergency call button.<br />
If it is decided that a specific plant system emergency stop device or an emergency switch off device, which<br />
per<strong>for</strong>ms the shutdown of a machine in the same plant system, has to be monitored by the CSS-<strong>OS</strong>, then it will be<br />
considered as a “standard <strong>OS</strong> I&C function” and addressed as described in section 9.1.2.1.<br />
The typical case has:<br />
<br />
Inputs:<br />
o<br />
Zero to a maximum of four digital inputs available,<br />
CSS-<strong>OS</strong> supervision<br />
<strong>PSS</strong> x<br />
Figure 9.4: Emergency button interface principle<br />
9.1.2.2.1 Detailed representation<br />
To implement the above concepts, the interface between the <strong>PSS</strong>-<strong>OS</strong> Safety PLC and the CSS-<strong>OS</strong> SCADA can be<br />
represented as shown below:<br />
Page 68 of 95
INPUTS<br />
OUTPUTS<br />
CSS-<strong>OS</strong> terminal<br />
Archiving<br />
Operator action /<br />
command<br />
<strong>PSS</strong> logic treatment<br />
Supervision display<br />
/ monitoring<br />
CSS-<strong>OS</strong> terminal<br />
Archiving<br />
Alarming<br />
Emergency Button<br />
X 4<br />
Emergency Button state<br />
Emergency Button invalidity<br />
Figure 9.5: Standard Emergency Button Monitoring Interface Schema<br />
Inputs: The Left part of the figure lists the controls going from the CSS-<strong>OS</strong> terminal to the <strong>PSS</strong>-<strong>OS</strong> Safety PLC<br />
(red colour):<br />
No configuration variable <strong>for</strong> this typical case.<br />
<strong>PSS</strong>-<strong>OS</strong> Safety PLC: The central part presents the <strong>PSS</strong>-<strong>OS</strong> Safety PLC containing:<br />
<br />
4 Digital Inputs.<br />
Outputs: The right part lists the exchanges between the <strong>PSS</strong>-<strong>OS</strong> Safety PLC and the CSS-<strong>OS</strong> SCADA System<br />
functions (monitoring, archiving and alarming) <strong>for</strong> each element of the standard function (black colour).<br />
<br />
<br />
Emergency Button State: the <strong>PSS</strong>-<strong>OS</strong> sends the Emergency Button state to the CSS-<strong>OS</strong> SCADA,<br />
Emergency Button Invalidity: is the health monitoring signal of the Emergency Button.<br />
Refer to appendix 4 <strong>for</strong> more details about the associated SDD translation.<br />
9.1.2.3 <strong>OS</strong> Specific Function<br />
It should be possible to implement most <strong>OS</strong> functions as standard <strong>OS</strong> I&C functions, however some will need<br />
“custom” treatment:<br />
- The central safety functions need SIL certified communications between the <strong>PSS</strong>-<strong>OS</strong> and the CSS-<strong>OS</strong><br />
PLC to trigger safety actions of other plant systems,<br />
- Some functions require a highly reliable and available HMI which cannot be computerized,<br />
- Some functions have inputs and outputs that do not fit in the standard <strong>OS</strong> function,<br />
- Some complex functions could necessitate adaptation of the HMI to describe the function,<br />
- …<br />
In this case, the interface between the <strong>PSS</strong>-<strong>OS</strong> and the CSS-<strong>OS</strong> will be tailored to the needs and discussed directly<br />
between the <strong>PSS</strong>-<strong>OS</strong> and the CSS-<strong>OS</strong> <strong>design</strong>ers.<br />
Page 69 of 95
However, all the concepts from standard functions that would be still applicable should be used:<br />
Definition of the states of the function,<br />
Standard in<strong>for</strong>mation <strong>for</strong> inputs and outputs,<br />
Override and maintenance status,<br />
Latch and reset policy,<br />
Overrides concepts and policy,<br />
Naming convention.<br />
9.2 <strong>OS</strong> Interface between <strong>PSS</strong>-<strong>OS</strong> PLC and CSS-<strong>OS</strong> PLC<br />
The <strong>PSS</strong>-<strong>OS</strong> <strong>design</strong>er will develop the PLC Software with one of the following SIEMENS software packages<br />
according to the hardware configuration selected <strong>for</strong> the <strong>PSS</strong>-<strong>OS</strong>:<br />
<br />
<br />
S7 Distributed Safety in case of S7-300F CPU used,<br />
S7 F/FH System in case of S7-400H CPU used.<br />
Caution: For the <strong>OS</strong> central function cases, the <strong>PSS</strong>-<strong>OS</strong> PLC software will be interfaced to the CSS-<strong>OS</strong> PLC<br />
software (develop with S7 F/FH System).<br />
The <strong>PSS</strong>-<strong>OS</strong> <strong>design</strong>er should refer to the PLC supplier documents in order to take into account all mechanisms<br />
concerning safety communication via Industrial Ethernet protocol through the S7 connections.<br />
9.3 <strong>OS</strong> Hardware Monitoring Interface<br />
The only kind of alarm about system health that should appear on the CSS-<strong>OS</strong> SCADA on the safety operator’s<br />
desk should be a synthesized alarm.<br />
All detailed system monitoring should appear in the dedicated CSS-<strong>OS</strong> maintenance terminals and should be as<br />
detailed as possible.<br />
There are two kinds of health monitoring:<br />
- Cubicle monitoring (temperature, doors…),<br />
- System monitoring (PLC memory, communication rates…).<br />
Note: These values are transmitted to the CSS-<strong>OS</strong> SCADA through standard SDD templates which are still under<br />
study.<br />
Refer to the documents listed here <strong>for</strong> more details:<br />
- [RD2], Plant Control Design Handbook [ITER_D_27LH2V] paragraph 4.4.1,<br />
- [RD16], Functional specification of I&C cubicle monitoring [ITER_D_7A45LE].<br />
9.4 <strong>PSS</strong>-<strong>OS</strong> software structure<br />
In this section, the program structure is introduced as a typical scheme of a Standard PLC Software Structure<br />
(S<strong>PSS</strong>) to be deployed on the ITER Project <strong>for</strong> the conventional PLC. This specific S<strong>PSS</strong> shows the links between<br />
the <strong>PSS</strong>-<strong>OS</strong> data and the CSS-<strong>OS</strong> SCADA SDD.<br />
Refer to [RD21], PLC Software Engineering Handbook [ITER_D_3QPL4H] <strong>for</strong> more details about the S<strong>PSS</strong>.<br />
Page 70 of 95
9.4.1 S<strong>PSS</strong> Architecture and data exchanges<br />
The figure below shows a typical S<strong>PSS</strong> program architecture, with:<br />
- CSS-<strong>OS</strong> SCADA interface <strong>for</strong> <strong>OS</strong> I&C functions,<br />
- Override modules (included in the functions).<br />
Figure 9.6: Software Structure principle<br />
The PLC core application is specific to the requirements of each plant system, whereas the rest of the S<strong>PSS</strong><br />
program (input processing, CSS-<strong>OS</strong> SCADA interface, output processing, reset DB) is common to all plant<br />
systems.<br />
9.4.2 Safety application<br />
The safety application is not represented in the figure, because there are two cases which depend on the CPU<br />
technology (S7-300F or a S7-400H):<br />
- If the S<strong>PSS</strong> CPU is a SIEMENS 300F (distributed safety), then the safety program is in the main call,<br />
- If the S<strong>PSS</strong> CPU is a SIEMENS 400F or 400FH (F-Systems), then the safety program is called in a<br />
periodic call.<br />
A main call program is executed cyclically by the PLC core, whereas the periodic call program is periodically<br />
executed, it is called an “interruption”.<br />
Interruptions have priority, in order to respect the interruption call periods, the main program in a PLC cycle can<br />
be stopped until the interruption has completed executing.<br />
Page 71 of 95
CYCLIC<br />
Tasks<br />
MIS<br />
MIE<br />
OB1 User Program<br />
PCC<br />
MIS<br />
MIE<br />
OB1 User Program<br />
PCC<br />
MIS<br />
MIE<br />
OB1 User Program<br />
PCC<br />
PERIODIC<br />
OBxx<br />
OBxx<br />
OBxx<br />
Time<br />
T0<br />
T1<br />
T3<br />
MIS<br />
MIE<br />
OB1<br />
OBxx<br />
PCC<br />
Legend :<br />
Outputs actualization<br />
Inputs actualization<br />
User program treatment<br />
Periodic interuption<br />
Cycle control<br />
Figure 9.7: Safety Program principle<br />
The <strong>PSS</strong>-<strong>OS</strong> <strong>design</strong>er should refer to the PLC supplier documents in order to take into account all safety<br />
application mechanisms.<br />
9.5 Deliverables related to the CSS-<strong>OS</strong> configurations<br />
IO or a Domestic Agency is in charge of providing all of the modules and functions required to manage the <strong>OS</strong><br />
function. The <strong>PSS</strong>-<strong>OS</strong> PLC and the associated mini CSS-<strong>OS</strong> are mainly concerned.<br />
Some devices, such as the PLC core application, have to be treated from the <strong>PSS</strong>-<strong>OS</strong> point of view.<br />
Note that the S<strong>PSS</strong> (which is the standard program implemented by ITER to integrate the user PLC core<br />
application) is provided by ITER.<br />
Some devices have to be treated from the mini CSS-<strong>OS</strong> point of view, such as:<br />
- SDD,<br />
- EPICS IOCs,<br />
- BOY screens.<br />
The SDD will also provide the alarm configuration (BEAST).<br />
Otherwise, the <strong>PSS</strong>-<strong>OS</strong> database is issued from the SDD compilation and has to be imported to the <strong>PSS</strong>-<strong>OS</strong><br />
application software.<br />
Standard SDD <strong>for</strong> the <strong>PSS</strong>-<strong>OS</strong> functions, such as “standard function interface” and “emergency button interface”<br />
are available to download from IDM.<br />
The BOY screens related to the <strong>PSS</strong>-<strong>OS</strong> safety logic representation (ex: matrix…) will not be implemented by the<br />
plant systems, but will be automatically generated by an ITER routine executed from the CODAC Core system.<br />
Page 72 of 95
10 Development and Integration<br />
To further facilitate future integration and to ensure that there is a common plant I&C hardware and software<br />
infrastructure, PBS48 will, in addition to setting standards, provide plant system <strong>design</strong>ers with three specific<br />
common hardware components: a basic communication infrastructure, a plant system host and “mini CSS-<strong>OS</strong>”.<br />
Mini CSS-<strong>OS</strong> – Each plant system I&C will also be provided with the software with CODAC Core System<br />
version Mini CSS-<strong>OS</strong> which includes the tools <strong>for</strong> accessing plant system data, operator displays, archiving, alarm<br />
handling, CSS-<strong>OS</strong> Server PLC IOC. Also provided will be the necessary software development tools, including<br />
the Self-Describing Database Editor. Future versions of Mini CSS-<strong>OS</strong> will support testing of plant system I&C<br />
and CSS interfaces as well as generic test engines to be used <strong>for</strong> FAT and SAT.<br />
Communications Infrastructure – Each plant system I&C will also be provided with the basic communications<br />
infrastructure, a standard switch, to ensure connectivity between mini CSS-<strong>OS</strong> and the various components –<br />
CSS-<strong>OS</strong> PLC IOC, and PLCs – of the plant system I&C itself. Use of this switch will facilitate future connection<br />
to the CSS-<strong>OS</strong> SCADA data network at the ITER site.<br />
Integrating with CSS-<strong>OS</strong> SCADA:<br />
After the SAT with mini CSS-<strong>OS</strong>, the PBS48 team will be responsible <strong>for</strong> the connection of the plant system I&C<br />
to CSS-<strong>OS</strong> SCADA itself. All SAT tests will be repeated, this time using ITER control room and server facilities.<br />
To the extent possible (increasingly <strong>for</strong> systems delivered later) these tests will be per<strong>for</strong>med in a network loading<br />
environment which is as close as possible to future operating conditions.<br />
List of documents to be supplied by each <strong>PSS</strong>-<strong>OS</strong> to the PBS48:<br />
Hazard and risk analysis,<br />
Occupational safety function allocation,<br />
Database exchange list,<br />
Application software,<br />
Acceptance testing documents.<br />
Page 73 of 95
11 Installation<br />
The <strong>PSS</strong>-<strong>OS</strong> components will be installed in <strong>PSS</strong>-<strong>OS</strong> cubicles.<br />
For the installation of the <strong>PSS</strong>-<strong>OS</strong> cubicles, the following rules must be applied:<br />
- The <strong>PSS</strong>-<strong>OS</strong> cubicles must be compliant with [RD12], the ITER catalogue <strong>for</strong> I&C products –<br />
Cubicles [ITER_D_35LXVZ],<br />
- The space reservation and allocation of the components inside of the <strong>PSS</strong>-<strong>OS</strong> cubicle must be<br />
compliant with [RD14], the <strong>Guidelines</strong> <strong>for</strong> I&C Cubicle Configurations [ITER_D_476HUG] and<br />
[RD17], the I&C cubicle internal configuration [ITER_D_4H5DW6],<br />
- The handling and installation of the floor standing <strong>PSS</strong>-<strong>OS</strong> cubicles must be compliant with [RD14],<br />
the <strong>Guidelines</strong> <strong>for</strong> I&C Cubicle Configurations [ITER_D_476HUG] and [RD17], I&C cubicle<br />
internal configuration [ITER_D_4H5DW6] (§ Cubicle installation),<br />
- The requirements <strong>for</strong> earthing and electromagnetic compatibility and the cable entries (on top or on<br />
bottom) described in the Electrical Hand Book [RD18], EDH Part 1: Introduction<br />
[ITER_D_2F7HD2] and in [RD20], EDH Part 4: Earthing [ITER_D_2ELREB], EMC and Lightning<br />
Protection are applicable to the <strong>PSS</strong>-<strong>OS</strong> cubicles,<br />
- The specific requirements <strong>for</strong> Siemens hardware installation (e.g. cable section <strong>for</strong> backplane<br />
connexion, etc.) should be taken into account and respected,<br />
- The <strong>PSS</strong>-<strong>OS</strong> cubicle <strong>design</strong> and installation must meet the requirements <strong>for</strong> seismic class SC2.<br />
Page 74 of 95
12 Testing and Acceptance tests<br />
The testing and acceptance tests are important tasks and they are an integral part of the ITER model of integration.<br />
These tests are intended to check the con<strong>for</strong>mity of the deliverables with the requirements specified by ITER.<br />
In the process defined by the ITER model of integration, two major acceptance tests are defined: FAT (Factory<br />
Acceptance Tests) carried out at the supplier’s premises during the manufacturing phase and the SAT (Site<br />
Acceptance Tests) covering the all plant systems installed on the site during the integration phase.<br />
Figure 12.1: Integration principle<br />
12.1 Entry criteria<br />
The entry criteria <strong>for</strong> the acceptance test given in [RD10], the Integration scheme and procedure <strong>for</strong> plant system<br />
I&C [ITER_D_3VVU9W] is applicable <strong>for</strong> the <strong>PSS</strong>-<strong>OS</strong> acceptance tests.<br />
This document gives a list of the pre-requisites which must be met in order to start the acceptance tests (FAT or<br />
SAT). A particular pre-requisite <strong>for</strong> <strong>PSS</strong>-<strong>OS</strong> test is the installation of the Mini CSS-<strong>OS</strong> tool (very similar to the<br />
Mini-CODAC) + Safety-<strong>OS</strong> PLC which will represent the CSS-<strong>OS</strong> safety PLC in order to per<strong>for</strong>m SIL functions.<br />
12.2 Acceptance process<br />
The acceptance process described in [RD10], the Integration scheme and procedure <strong>for</strong> plant system I&C<br />
[ITER_D_3VVU9W] is applicable <strong>for</strong> the <strong>PSS</strong>-<strong>OS</strong> acceptance tests.<br />
In accordance with [RD2], the PCDH - Plant Control Design Handbook [ITER_D_27LH2V], the results of the<br />
execution of the FAT and SAT plans are recorded in a FAT (PCDH D50) or SAT (PCDH D65) report. Their<br />
classification and treatment should comply with the requirements <strong>for</strong> test campaign part passed, severity level<br />
value and live cycle state.<br />
12.3 Acceptance criteria<br />
The acceptance criteria with a list of requirement details, especially <strong>for</strong> the different validations taking into<br />
account parameters like execution rate, severity level, etc. described in [RD10], the Integration scheme and<br />
procedure <strong>for</strong> plant system I&C [ITER_D_3VVU9W] is applicable <strong>for</strong> the <strong>PSS</strong>-<strong>OS</strong> acceptance tests.<br />
Page 75 of 95
12.4 FAT<br />
The Plant System I&C Factory Acceptance Test (FAT) is a test which checks the con<strong>for</strong>mity of the plant system<br />
I&C with IO requirements and mainly with the PCDH requirements, in order to ensure that the plant system I&C<br />
unit is integrable be<strong>for</strong>e starting the SAT.<br />
The unit <strong>for</strong> PS I&C FAT is the <strong>PSS</strong>-<strong>OS</strong> cubicle with its embedded hardware and software.<br />
Be<strong>for</strong>e starting the FAT the supplier must carry out a pre-FAT to detect and solve the manufacturing<br />
issues.<br />
The scope of the FAT should be adjusted according to the procurement configuration and will cover the following<br />
areas:<br />
Mechanical and electrical configuration of the <strong>PSS</strong>-<strong>OS</strong> cubicles<br />
PLC’s hardware and software<br />
Plant system configuration<br />
Plant system I&C functions<br />
Per<strong>for</strong>mance<br />
Documentation<br />
During the FAT, the interfaces to the plant (instrumentation and actuators) are disconnected or simulated by test<br />
equipment. The functional test will be per<strong>for</strong>med with the mini-CSS-<strong>OS</strong> tool + safety PLC which will represent<br />
the CSS-<strong>OS</strong> safety PLC in order to per<strong>for</strong>m SIL functions. The environmental conditions are those of the<br />
supplier’s factory.<br />
For checking compliance of the procurement with the remaining PCDH requirements and to optimize the duration<br />
of the FAT, the PCDH proposes to split I&C FAT into several campaigns.<br />
For further in<strong>for</strong>mation about the FAT campaigns, their scope and scenarios consult the [RD2], PCDH - Plant<br />
Control Design Handbook [ITER_D_27LH2V] and [RD10], the Integration scheme and procedure <strong>for</strong> plant<br />
system I&C [ITER_D_3VVU9W].<br />
12.5 SAT<br />
The Site Acceptance Test (SAT) is a test which checks the con<strong>for</strong>mity of the whole set of plant system I&C<br />
delivered after their shipment to Cadarache. It checks con<strong>for</strong>mity with IO requirements and mainly with the<br />
PCDH requirements, in order to ensure that the <strong>PSS</strong>-<strong>OS</strong> are ready to go ahead to the next step in life-cycle of the<br />
ITER model of integration: the integrated commissioning.<br />
The SAT will also be per<strong>for</strong>med on what was not covered <strong>for</strong> any reason by the FAT.<br />
In accordance with [RD10], the Integration scheme and procedure <strong>for</strong> plant system I&C [ITER_D_3VVU9W] the<br />
SAT is organised into 3 sequential steps:<br />
- Component tests: the unit to test is the <strong>PSS</strong>-<strong>OS</strong> Cubicle (physical interfaces test). These tests are<br />
per<strong>for</strong>med under the supplier’s responsibility with the support of ITER IO CSD <strong>for</strong> the PBS48.<strong>OS</strong><br />
interface.<br />
- System tests: the unit to test is the <strong>PSS</strong>-<strong>OS</strong> System (functional tests). These tests are per<strong>for</strong>med with<br />
mini-CSS-<strong>OS</strong> tool + safety PLC which will represent the CSS-<strong>OS</strong> safety PLC in order to per<strong>for</strong>m<br />
SIL functions. These tests are per<strong>for</strong>med under the supplier’s responsibility with the support of ITER IO<br />
CSD <strong>for</strong> the PBS48.<strong>OS</strong>.<br />
- System connection to PBS48.<strong>OS</strong>: the unit to test is the <strong>PSS</strong>-<strong>OS</strong> System (functional tests). The mini-<br />
CSS-<strong>OS</strong> tool + safety PLC used in the previous step are functionally disconnected from the <strong>PSS</strong>-<strong>OS</strong><br />
system. The PBS48.<strong>OS</strong> servers are updated with the plant system configuration, alarm and archive data<br />
from the mini-CSS-<strong>OS</strong> tool and safety PLC used during the system tests. The system connection test to<br />
PBS48.<strong>OS</strong> is per<strong>for</strong>med under ITER IO CSD responsibility.<br />
Page 76 of 95
In accordance with [RD2], the PCDH - Plant Control Design Handbook [ITER_D_27LH2V], any deviation from<br />
the expected result during the execution of tests must be captured in a uniquely identified issue sheet. This will<br />
record all of the in<strong>for</strong>mation related to the investigation of the root cause of the issue and all of the remedial<br />
actions. In these cases the PCDH rules in the “Deviation policy” section should be applied.<br />
Page 77 of 95
13 Standards compliance and certification requirements<br />
This paragraph defines the methodology <strong>for</strong> certification of all occupational safety functions.<br />
The certification strategy of this system is based on IEC 61508.<br />
The plant system suppliers have to deliver a SIL certified system that meets the safety requirements as described<br />
in the IEC 61508. The plant system supplier has to arrange <strong>for</strong> this certification to be delivered by a third party.<br />
The justification <strong>for</strong> risk management of random and systematic failures is divided into four steps:<br />
- Step 1: Identifying what the required safety functions are. Hazard analysis and definition of safety<br />
functions,<br />
- Step 2: Assessment of the risk-reduction required by the safety function. This will involve a Safety<br />
Integrity Level (SIL) Assessment. The SIL is determined <strong>for</strong> each safety function according to the<br />
estimated frequency of the risk associated and the severity of its consequences. A Safety Integrity Level<br />
(SIL) applies to an end-to-end safety function of the safety-related system, not just to a component or part<br />
of the system,<br />
- Step 3: Ensuring the safety function per<strong>for</strong>ms to the <strong>design</strong>, including under conditions of incorrect<br />
operator input and failure modes. This will involve having the <strong>design</strong> and lifecycle managed by qualified<br />
and competent engineers carrying out processes to a recognised functional safety standard,<br />
- Step 4: Demonstration of achievement of the SIL level allocated.<br />
To ensure the objectivity of the study, an independent organization must carry out the SIL demonstration. If the<br />
Plant System supplier is highly skilled in risk assessment and SIL I&C implementation, then the demonstration<br />
could, with adequate justification, be carried out by an independent department.<br />
Page 78 of 95
14 Periodic tests principle<br />
The ITER experimental process is not continuous 24 hours / day, 365 days / year. Some periods are specifically<br />
dedicated to maintenance:<br />
- 2 or 3 operational shifts of 8 hours per day <strong>for</strong> plasma pulse operations,<br />
- When not used <strong>for</strong> full operations, the 3 rd quiet shift may be used <strong>for</strong> testing, wall conditioning, heating<br />
commissioning or <strong>for</strong> short term maintenance.<br />
- Typically, after 12 operational days there will be 2-4 short term maintenance days.<br />
Moreover, after each experimental campaign, there will be a planned long term maintenance period of typically 8<br />
months.<br />
The inherent availability objective integrates the scheduled downtime <strong>for</strong> routine maintenance during 3 days each<br />
week during experimental campaign (3.5 months), and 40% of the potential operation time (5 months),<br />
corresponding to the unscheduled downtimes <strong>for</strong> corrective maintenance to repair faults.<br />
This means that during a 2 year experimental campaign, 16.5 (8+3.5+5) months will be used <strong>for</strong><br />
preventive/corrective maintenance & upgrades as compared with 7.5 months available <strong>for</strong> plasma<br />
operation/research programme.<br />
The SCS-<strong>OS</strong> (<strong>PSS</strong>-<strong>OS</strong> and CSS-<strong>OS</strong>) shall operate in continue to protect people and environment knowing that<br />
maintenance period are sometimes more critical than operational period (<strong>OS</strong> functions are generally linked to<br />
people presence).<br />
The process to per<strong>for</strong>m the periodic tests that are required to maintain the SIL level of the <strong>PSS</strong>-<strong>OS</strong> functions has<br />
to be considered at the <strong>design</strong> stage. In order to limit the complexity of the <strong>OS</strong> I&C function or the need of<br />
overrides, it is generally easier to per<strong>for</strong>m the periodic tests when the system protected by the function is stopped,<br />
which can happen in many cases during the Long Term Maintenance phase. When it is not possible or suitable, the<br />
requirements of the <strong>OS</strong> I&C functions have to take into account provisions <strong>for</strong> per<strong>for</strong>ming the tests during the<br />
<strong>PSS</strong>-<strong>OS</strong> operation (additional redundancies, specific overrides…).<br />
Page 79 of 95
APPENDIX 1 – Detailed logic hardware lists<br />
Architecture 1 – Standard availability architecture with Integrated IO configuration<br />
Order No. Designation Quantity<br />
6ES7317-2FK14-0AB0 Central processing unit CPU317F-2 PN/DP 1<br />
6ES7326-1BK02-0AB0 Digital input 24DI 24V DC; diagnose fail-safe 1<br />
6ES7326-2BF10-0AB0 Digital output 10DO DC 24V/2A PP; diagnose fail-safe 1<br />
6ES7336-4GE00-0AB0 Analog input 6AI 15 bit; diagnostics fail-safe 1<br />
6ES7390-1AJ30-0AA0 Mounting rail 830 mm 1<br />
6ES7392-1AJ00-0AA0 Front connector 20-pole with screw contact 1<br />
6ES7392-1AM00-0AA0 Front connector 40-pole with screw contact 1<br />
6ES7392-1BM01-0AA0 Front connector 40-pole with Cage Clamp terminals 1<br />
6ES7953-8LL31-0AA0 Micro Memory Card <strong>for</strong> IM151 CPU and S7-300C 2MB 1<br />
6GK7343-1GX30-0XE0 CP 343-1 Advanced Industrial Ethernet S7-300 2<br />
Table A1.1: Architecture 1 List of logic component<br />
PBS.X Cubicle<br />
MAIN SWITCH<br />
BACK-UP SWITCH<br />
Sensor a<br />
RJ45<br />
Sensor b<br />
RJ45<br />
Actuator a<br />
Actuator b<br />
CPU<br />
C<br />
P<br />
a<br />
C<br />
P<br />
b<br />
<strong>PSS</strong>-<strong>OS</strong><br />
Rack 0 DIa DOa AI<br />
DIb<br />
DOb<br />
AI<br />
DP<br />
Bus 0 Profinet<br />
Bus 1 Profinet<br />
Figure A1.1: Architecture 1 Schema<br />
Page 80 of 95
Architecture 2 – Standard availability architecture with Distributed IO configuration<br />
Order No. Designation Quantity<br />
6ES7153-2BA02-0XB0 IM 153-2 High Feature <strong>for</strong> ET200M PROFIBUS DP 1<br />
6ES7195-1GA00-0XA0 DIN rail <strong>for</strong> active bus modules 482mm (19") 1<br />
6ES7195-7HA00-0XA0 Active bus module <strong>for</strong> PS and IM 153 1<br />
6ES7195-7HB00-0XA0 Active bus module <strong>for</strong> 2 modules 40mm wide 1<br />
6ES7195-7HC00-0XA0 Active bus module or 1 module 80 mm wide 1<br />
6ES7315-2FJ14-0AB0 Central processing unit CPU315F-2 PN/DP 1<br />
6ES7326-1BK02-0AB0 Digital input 24DI 24V DC; diagnose fail-safe 2<br />
6ES7326-2BF10-0AB0 Digital output 10DO DC 24V/2A PP; diagnose fail-safe 2<br />
6ES7336-4GE00-0AB0 Analog input 6AI 15 bit; diagnostics fail-safe 2<br />
6ES7390-1AF30-0AA0 Mounting rail 530 mm 1<br />
6ES7392-1AJ00-0AA0 Front connector 20-pole with screw contact 2<br />
6ES7392-1AM00-0AA0 Front connector 40-pole with screw contact 4<br />
6ES7953-8LL31-0AA0 Micro Memory Card <strong>for</strong> IM151 CPU and S7-300C 2MB 1<br />
6GK7343-1GX30-0XE0 CP 343-1 Advanced Industrial Ethernet S7-300 2<br />
Table A1.2: Architecture 2 List of logic component<br />
PBS.X Cubicle<br />
MAIN SWITCH<br />
BACK-UP SWITCH<br />
<strong>PSS</strong>-<strong>OS</strong><br />
Rack 0<br />
CPU<br />
RJ45<br />
C<br />
P<br />
a<br />
C<br />
P<br />
b<br />
RJ45<br />
Sensor a<br />
DP<br />
Sensor b<br />
Actuator a<br />
Actuator b<br />
DP<br />
<strong>PSS</strong>-<strong>OS</strong> Periphery<br />
Rack 1<br />
IM0a DIa DIb DOa DOb AI<br />
AI<br />
Bus 0 Profinet<br />
Bus 1 Profinet<br />
Bus 0 Profibus<br />
Figure A1.2: Architecture 2 Schema<br />
Page 81 of 95
Architecture 3 – Specific Standard availability architecture<br />
Order No. Designation Quantity<br />
6ES7153-2BA02-0XB0 IM 153-2 High Feature <strong>for</strong> ET200M PROFIBUS DP 1<br />
6ES7195-1GA00-0XA0 DIN rail <strong>for</strong> active bus modules 482mm (19") 1<br />
6ES7195-7HA00-0XA0 Active bus module <strong>for</strong> PS and IM 153 1<br />
6ES7195-7HB00-0XA0 Active bus module <strong>for</strong> 2 modules 40mm wide 1<br />
6ES7195-7HC00-0XA0 Active bus module or 1 module 80 mm wide 1<br />
6ES7326-1BK02-0AB0 Digital input 24DI 24V DC; diagnose fail-safe 1<br />
6ES7326-2BF10-0AB0 Digital output 10DO DC 24V/2A PP; diagnose fail-safe 1<br />
6ES7336-4GE00-0AB0 Analog input 6AI 15 bit; diagnostics fail-safe 1<br />
6ES7392-1BJ00-0AA0 20-pin front connector with spring terminals 1<br />
6ES7392-1BM01-0AA0 Front connector 40-pole with Cage Clamp terminals 2<br />
6ES7400-1JA11-0AA0 UR2 Central/Expansion Unit; 9 Slots K-Bus ALU 1<br />
6ES7407-0KR02-0AA0 Power supply PS407 10A; AC 120/230V-> DC5V/24V redundant 2<br />
6ES7414-5HM06-0AB0 S7-CPU 414-5H; 2x2MB main memory; 1 MPI/DP 1 DP 1<br />
6ES7952-1AM00-0AA0 RAM Memory Card long; 4 MB 1<br />
6ES7960-1AA04-5KA0 Fiber optic cable <strong>for</strong> synch module 10m 1<br />
6ES7960-1AA06-0XA0 Sync. Module <strong>for</strong> Patch Cable up to 10 m 1<br />
6GK7443-1GX20-0XE0 CP 443-1 Advanced Industrial Ethernet S7-400 2<br />
Table A1.3: Architecture 3 List of logic component<br />
PBS.X Cubicle<br />
MAIN SWITCH<br />
BACK-UP SWITCH<br />
RJ45<br />
RJ45<br />
<strong>PSS</strong>-<strong>OS</strong><br />
Rack 0<br />
PSa PSb CPU C<br />
P<br />
a<br />
C<br />
P<br />
b<br />
Sensor a<br />
DP<br />
Sensor b<br />
Actuator a<br />
Actuator b<br />
DP<br />
<strong>PSS</strong>-<strong>OS</strong> Periphery<br />
Rack 1<br />
IM0a DIa DIb DOa DOb AI<br />
AI<br />
Bus 0 Profinet<br />
Bus 1 Profinet<br />
Bus 0 Profibus<br />
Figure A1.3: Architecture 3 Schema<br />
Page 82 of 95
Architecture 4 – High availability architecture with Distributed IO configuration<br />
Order No. Designation Quantity<br />
6ES7153-2BA02-0XB0 IM 153-2 High Feature <strong>for</strong> ET200M PROFIBUS DP 6<br />
6ES7195-1GA00-0XA0 DIN rail <strong>for</strong> active bus modules 482mm (19") 3<br />
6ES7195-7HB00-0XA0 Active bus module <strong>for</strong> 2 modules 40mm wide 3<br />
6ES7195-7HC00-0XA0 Active bus module or 1 module 80 mm wide 3<br />
6ES7195-7HD10-0XA0 Active bus module IM/IM <strong>for</strong> 2 IM153-2 High Feature 3<br />
6ES7326-1BK02-0AB0 Digital input 24DI 24V DC; diagnose fail-safe 3<br />
6ES7326-2BF10-0AB0 Digital output 10DO DC 24V/2A PP; diagnose fail-safe 3<br />
6ES7336-4GE00-0AB0 Analog input 6AI 15 bit; diagnostics fail-safe 3<br />
6ES7392-1BJ00-0AA0 20-pin front connector with spring terminals 3<br />
6ES7392-1BM01-0AA0 Front connector 40-pole with Cage Clamp terminals 6<br />
6ES7400-1JA01-0AA0 UR2 central controller/expansion unit; 9 slots K bus 2<br />
6ES7407-0KR02-0AA0 Power supply PS407 10A; AC 120/230V-> DC5V/24V redundant 4<br />
6ES7414-5HM06-0AB0 S7-CPU 414-5H; 2x2MB main memory; 1 MPI/DP 1 DP 2<br />
6ES7952-1AS00-0AA0 RAM Memory Card long; 16 MB 2<br />
6ES7953-8LM20-0AA0 Micro Memory Card <strong>for</strong> IM151 CPU and S7-300C 4MB 3<br />
6ES7960-1AA04-5KA0 Fiber optic cable <strong>for</strong> synch module 10m 2<br />
6ES7960-1AB06-0XA0 Synch. Module <strong>for</strong> Installation Cable up to 10km 4<br />
6GK7443-1GX20-0XE0 CP 443-1 Advanced Industrial Ethernet S7-400 2<br />
Table A1.4: Architecture 4 List of logic component<br />
Page 83 of 95
PBS.X Cubicle<br />
MAIN SWITCH<br />
BACK-UP SWITCH<br />
RJ45<br />
RJ45<br />
<strong>PSS</strong>-<strong>OS</strong><br />
Rack 0<br />
PS0a PS0b CPU<br />
0<br />
C<br />
P<br />
0<br />
<strong>PSS</strong>-<strong>OS</strong><br />
Rack 1<br />
PS1a PS1b CPU<br />
1<br />
C<br />
P<br />
1<br />
Sync<br />
10m<br />
Sync<br />
10m<br />
DP<br />
FO (2m)<br />
FO (2m)<br />
Sync<br />
10m<br />
Sync<br />
10m<br />
DP<br />
Bus 0 Profibus<br />
Bus 1 Profibus<br />
Bus 0 Profinet<br />
Bus 1 Profinet<br />
Sensor a<br />
Actuator a<br />
<strong>PSS</strong>-<strong>OS</strong> Periphery<br />
Rack 2<br />
DP<br />
DP<br />
IM0a IM1a DIa DI DOa DO DO DO AI<br />
Sensor b<br />
Actuator b<br />
DP<br />
DP<br />
<strong>PSS</strong>-<strong>OS</strong> Periphery<br />
Rack 3<br />
IM0b IM1b DIb<br />
DI DOb DO DO DO AI<br />
Sensor c<br />
Actuator c<br />
DP<br />
DP<br />
IM0c IM1c DIc<br />
DI DOc DO AI<br />
<strong>PSS</strong>-<strong>OS</strong> Periphery<br />
Rack 4<br />
Figure A1.4: Architecture 4 Schema<br />
Page 84 of 95
APPENDIX 2 – Variable Table <strong>for</strong> <strong>OS</strong> Standard Function<br />
The appendix comprises the detailed list of all variable associated with the <strong>OS</strong> standard function and one<br />
associated case study.<br />
The colour code indicates which boxes are pre-defined and which boxes may be completed.<br />
Pre-defined<br />
Has to be completed (specific)<br />
Caution: The following list is a partial variable table.<br />
VARIABLE NAME<br />
DESCRIPTION<br />
FUNCTION<br />
NAME<br />
XXXX-YYYY-SF:IFnn-AI1-TM-ENGvalue Analog input 1 - Engineering value XXXX-YYYY-SF<br />
XXXX-YYYY-SF:IFnn-AI1-TM-SHvalue Analog input 1 - High safety threshold value XXXX-YYYY-SF<br />
XXXX-YYYY-SF:IFnn-AI1-TM-SHHvalue Analog input 1 - High High safety threshold value XXXX-YYYY-SF<br />
XXXX-YYYY-SF:IFnn-AI1-TM-SLvalue Analog input 1 - Low safety threshold value XXXX-YYYY-SF<br />
XXXX-YYYY-SF:IFnn-AI1-TM-SLLvalue Analog input 1 - Low safety threshold value XXXX-YYYY-SF<br />
XXXX-YYYY-SF:IFnn-AI1-TS-SHreach Analog input 1 - High safety threshold reached XXXX-YYYY-SF<br />
Analog input 1 - High High safety threshold<br />
XXXX-YYYY-SF:IFnn-AI1-TS-SHHreach reached<br />
XXXX-YYYY-SF<br />
XXXX-YYYY-SF:IFnn-AI1-TS-SLreach Analog input 1 - Safety threshold SL reached XXXX-YYYY-SF<br />
Analog input 1 - Low low saferty threshold<br />
XXXX-YYYY-SF:IFnn-AI1-TS-SLLreach reached<br />
XXXX-YYYY-SF<br />
XXXX-YYYY-SF:IFnn-AI1-TAGNAME Analog input 1 - Tagname XXXX-YYYY-SF<br />
XXXX-YYYY-SF:IFnn-AI1-TS-INVALIDITY Analog input 1 - Invalidity XXXX-YYYY-SF<br />
XXXX-YYYY-SF:IFnn-AI1-TS-OVRenab Analog input 1 - Override enabled XXXX-YYYY-SF<br />
XXXX-YYYY-SF:IFnn-AI1-TS-OVRdisab Analog input 1 - Override disabled XXXX-YYYY-SF<br />
XXXX-YYYY-SF:IFnn-AI2-TM-ENGvalue Analog input 2 - Engineering value XXXX-YYYY-SF<br />
XXXX-YYYY-SF:IFnn-AI2-TM-SHvalue Analog input 2 - High safety threshold value XXXX-YYYY-SF<br />
XXXX-YYYY-SF:IFnn-AI2-TM-SHHvalue Analog input 2 - High High safety threshold value XXXX-YYYY-SF<br />
XXXX-YYYY-SF:IFnn-AI2-TM-SLvalue Analog input 2 - Low safety threshold value XXXX-YYYY-SF<br />
XXXX-YYYY-SF:IFnn-AI2-TM-SLLvalue Analog input 2 - Low safety threshold value XXXX-YYYY-SF<br />
XXXX-YYYY-SF:IFnn-AI2-TS-SHreach Analog input 2 - High safety threshold reached XXXX-YYYY-SF<br />
Analog input 2 - High High safety threshold<br />
XXXX-YYYY-SF:IFnn-AI2-TS-SHHreach reached<br />
XXXX-YYYY-SF<br />
XXXX-YYYY-SF:IFnn-AI2-TS-SLreach Analog input 2 - Safety threshold SL reached XXXX-YYYY-SF<br />
Analog input 2 - Low low saferty threshold<br />
XXXX-YYYY-SF:IFnn-AI2-TS-SLLreach reached<br />
XXXX-YYYY-SF<br />
XXXX-YYYY-SF:IFnn-AI2-TAGNAME Analog input 2 - Tagname XXXX-YYYY-SF<br />
XXXX-YYYY-SF:IFnn-AI2-TS-INVALIDITY Analog input 2 - Invalidity XXXX-YYYY-SF<br />
XXXX-YYYY-SF:IFnn-AI2-TS-OVRenab Analog input 2 - Override enabled XXXX-YYYY-SF<br />
XXXX-YYYY-SF:IFnn-AI2-TS-OVRdisab Analog input 2 - Override disabled XXXX-YYYY-SF<br />
XXXX-YYYY-SF:IFnn-AI3-TM-ENGvalue Analog input 3 - Engineering value XXXX-YYYY-SF<br />
XXXX-YYYY-SF:IFnn-AI3-TM-SHvalue Analog input 3 - High safety threshold value XXXX-YYYY-SF<br />
XXXX-YYYY-SF:IFnn-AI3-TM-SHHvalue Analog input 3 - High High safety threshold value XXXX-YYYY-SF<br />
Table A2.1: Partial Variable Table of <strong>OS</strong> Standard Function<br />
After download of the <strong>OS</strong> standard function variable list from IDM, the <strong>PSS</strong>-<strong>OS</strong> Designer will replace the bold<br />
characters located in the green columns by the correct values, in compliance with the rules above.<br />
Page 85 of 95
More details <strong>for</strong> each type of variable:<br />
The usage of the interface function variables is detailed in the tables below.<br />
Some variables are multiple, but only one kind of variable is described below.<br />
XXXX-YYYY-SF:IFnn-AI1-TM-ENGvalue<br />
1 This is the analogue transmitter value scaled by the PLC to an engineering value.<br />
This value can be displayed in the CSS-<strong>OS</strong> supervision<br />
XXXX-YYYY-SF:IFnn-AI1-TM-SHvalue<br />
2 This is the analogue transmitter high level switch value in engineering units.<br />
This level is used by the PLC to raise the high level alarm.<br />
This value is the high level alarm set point.<br />
XXXX-YYYY-SF:IFnn-AI1-TM-SHHvalue<br />
3 This is the analogue transmitter very high level switch value in engineering units.<br />
This level is used by the PLC to raise the very high level alarm.<br />
This value is the very high level alarm set point.<br />
XXXX-YYYY-SF:IFnn-AI1-TM-SLvalue<br />
4 This is the analogue transmitter low level switch value in engineering units.<br />
This level is used by the PLC to raise the low level alarm.<br />
This value is the low level alarm set point.<br />
XXXX-YYYY-SF:IFnn-AI1-TM-SLLvalue<br />
5 This is the analogue transmitter very low level switch value in engineering units.<br />
This level is used by the PLC to raise the very low level alarm.<br />
This value is the very low level alarm set point.<br />
6<br />
7<br />
XXXX-YYYY-SF:IFnn-AI1-TS-SHreach<br />
This is the analogue transmitter high level switch signal.<br />
If the transmitter value (measured) becomes greater than or equal to the high level, then the PLC will<br />
raise an alarm.<br />
This alarm can be overridden.<br />
This variable might be used to generate the high level alarm.<br />
XXXX-YYYY-SF:IFnn-AI1-TS-SHHreach<br />
This is the analogue transmitter very high level switch signal.<br />
If the transmitter value (measured) becomes greater than or equal to the very high level, then the PLC<br />
will raise an alarm.<br />
This alarm can be overridden.<br />
This variable might be used to generate the very high level alarm.<br />
8<br />
XXXX-YYYY-SF:IFnn-AI1-TS-SLreach<br />
This is the analogue transmitter low level switch signal.<br />
If the transmitter value (measure) becomes lower than or equal to the low level, then the PLC will<br />
raise an alarm.<br />
This alarm can be overridden.<br />
This variable might be used to generate the low level alarm.<br />
9 XXXX-YYYY-SF:IFnn-AI1-TS-SLLreach<br />
Page 86 of 95
This is the analogue transmitter very low level switch signal.<br />
If the transmitter value (measure) becomes lower than or equal to the very low level, then the PLC<br />
will raise an alarm.<br />
This alarm can be overridden.<br />
This variable might be used to generate the very low level alarm.<br />
XXXX-YYYY-SF:IFnn-AI1-TAGNAME<br />
10 This is the analogue transmitter name.<br />
This setting is used as a maintenance reference parameter filled from the PLC database to be<br />
displayed in the <strong>OS</strong>-supervision.<br />
11<br />
XXXX-YYYY-SF:IFnn-AI1-TS-INVALIDITY<br />
This is a binary indication of the analogue transmitter signal’s health.<br />
If the PLC measurement becomes out of range, then the transmitter invalid status will be indicated.<br />
Generally, either the transmitter wire is disconnected (open loop) or a short-circuit has been detected.<br />
An alarm might be raised when this signal becomes true.<br />
12<br />
XXXX-YYYY-SF:IFnn-AI1-TS-OVRenab<br />
This is a binary indication of the analogue transmitter override status.<br />
If this binary signal becomes true, then it means that an override has been set <strong>for</strong> this transmitter. The<br />
transmitter override has effect on its four levels (HH, H, L, LL).<br />
This variable is combined with the other one (….TS-OVRdisab).<br />
13<br />
XXXX-YYYY-SF:IFnn-AI1-TS-OVRdisab<br />
This is a binary indication of the analogue transmitter override status.<br />
If this binary signal becomes true, then it means that an override has been removed <strong>for</strong> this<br />
transmitter.<br />
The transmitter override has effect on its four levels (HH, H, L, LL).<br />
This variable is combined with the other one (….TS-OVRenab).<br />
14<br />
XXXX-YYYY-SF:IFnn-DI1-TS-INVALIDITY<br />
This is a binary indication of the digital input signal’s health.<br />
For a safety signal (digital input), a monitoring line looks <strong>for</strong> either a short circuit or an open loop.<br />
If the PLC detects one of the two failures, then the digital input invalid status will be indicated.<br />
An alarm might be raised when this signal becomes true.<br />
XXXX-YYYY-SF:IFnn-DI1-TS-STATE<br />
15 This is a binary indication of the digital input state (is the digital input true or false).<br />
This variable is equal to the digital input hardware value.<br />
XXXX-YYYY-SF:IFnn-DI1-TAGNAME<br />
16 This is the digital input name.<br />
This setting is used as a maintenance reference parameter filled from the PLC database to be<br />
displayed in the <strong>OS</strong>-supervision.<br />
17<br />
XXXX-YYYY-SF:IFnn-DI1-TS-OVRenab<br />
This is a binary indication of the digital input override status which is quite useful <strong>for</strong> the<br />
maintenance team.<br />
If this binary signal becomes true, then it means an override has been set <strong>for</strong> this digital input.<br />
An override status disables the trip on its trip value, and also when its invalid status is raised.<br />
Page 87 of 95
This variable is combined with the other one (….TS-OVRdisab).<br />
18<br />
XXXX-YYYY-SF:IFnn-DI1-TS-OVRdisab<br />
This is a binary indication of the digital input override status which is quite useful <strong>for</strong> the<br />
maintenance team.<br />
If this binary signal becomes true, then it means an override has been removed <strong>for</strong> this digital input.<br />
An override status disables the trip on its trip value, and also when its invalid status is raised.<br />
This variable is combined with the other one (….TS-OVRdisab).<br />
19<br />
XXXX-YYYY-SF:IFnn-DO1-TS-INVALIDITY<br />
This is a binary indication of the digital output signal’s health.<br />
For a safety signal (digital output), a monitoring line looks <strong>for</strong> either a short-circuit or an open loop.<br />
If the PLC detects one of the two failures, then the digital output invalid status will be indicated.<br />
An alarm might be raised when this signal becomes true.<br />
20<br />
XXXX-YYYY-SF:IFnn-DO1-TS-OVRvalue<br />
This is the binary feedback of the digital output override value which is applied when the override<br />
mode is enabled.<br />
If this binary feedback becomes true, then it means that the digital output is set to “true”, so the<br />
override mode is set to enable.<br />
The logic is detailed in the logic diagram.<br />
21<br />
XXXX-YYYY-SF:IFnn-DO1-TS-OVRmode<br />
This is a binary indicator which is a feedback about the override mode.<br />
The override logic sets the override binary command, to select the override mode.<br />
If the override mode is set to “true”, then the digital output will be equal to the override value.<br />
This signal [..TS-OVR mode] is specific <strong>for</strong> the Digital Output override mode management.<br />
XXXX-YYYY-SF:IFnn-DO1-TS-STATE<br />
22 This is a binary indication of the digital output state (is the digital output true or false).<br />
The state includes the override management.<br />
This variable is equal to the digital output hardware value.<br />
XXXX-YYYY-SF:IFnn-DO1-TAGNAME<br />
23 This is the digital output name.<br />
This setting is used as a maintenance reference parameter filled from the PLC database to be<br />
displayed in the <strong>OS</strong>-supervision.<br />
24<br />
XXXX-YYYY-SF:IFnn-OVR-TM-NUM<br />
This is the override number feedback. It takes the value of the active override.<br />
The standard override function is <strong>design</strong>ed to manage 5000 overrides per function.<br />
So, this variable can take a value between 0 to 9999 :<br />
- <strong>for</strong> an override setting operation, 0
25<br />
XXXX-YYYY-SF:IFnn-OVR-TM-NUM10000<br />
This variable is not useful <strong>for</strong> the operator, but is a protocol requirement.<br />
The communication protocol between <strong>OS</strong>-supervision and CSS is qualified as robust thanks to<br />
handshake management: after the CSS-supervision has transmitted the required override number to<br />
the PLC, the PLC responds to the <strong>OS</strong>-supervision with the received override number added to 10000.<br />
Then, the supervision compares the override number sent and the override number received.<br />
When there is a positive match between the transmitted and received values, it permits the<br />
supervision to enable the digital override operator command.<br />
26<br />
XXXX-YYYY-SF:IFnn-OVR-TS-ACTIV<br />
This is a Boolean feedback indicator that in<strong>for</strong>ms the DCS about what the PLC has understood (set or<br />
remove the bypass).<br />
This value can be used to indicate in the <strong>OS</strong>-supervision that at least one override is set <strong>for</strong> the<br />
function.<br />
XXXX-YYYY-SF:IFnn-OVR-TS-DESACTIV<br />
27 This is a Boolean feedback indicator that in<strong>for</strong>ms the DCS about what the PLC has understood (set or<br />
remove the bypass).<br />
This value can be used to indicate in the <strong>OS</strong>-supervision that no override is set <strong>for</strong> the function.<br />
28<br />
XXXX-YYYY-SF:IFnn-OVR-TS-WIN<br />
This variable is not useful <strong>for</strong> the operator.<br />
This is an <strong>OS</strong>-supervision requirement used to manage the override popup window <strong>for</strong> the function.<br />
According to the protocol between <strong>OS</strong>-supervision and CSS, after a successful override number<br />
comparison, the operator may confirm the override request be<strong>for</strong>e a 30 seconds timeout. If the<br />
timeout expires, then the request is cancelled and the popup disappears automatically.<br />
This variable is managed by the PLC, and is used to control the appearance of the popup.<br />
XXXX-YYYY-SF:IFnn-OVR-TR-NUM<br />
29 This variable is not useful <strong>for</strong> the operator, but is a protocol requirement.<br />
According to the protocol between <strong>OS</strong>-supervision and CSS, this variable corresponds to the one<br />
which is set by the operator and transmitted to the PLC <strong>for</strong> an override setting or removing request.<br />
30<br />
XXXX-YYYY-SF:IFnn-OVR-TC-VALID<br />
This is the Boolean variable used by a maintenance operator to validate an override command be<strong>for</strong>e<br />
the timeout expiration.<br />
This variable is connected to the “validation” button located in the override popup.<br />
The override becomes effective only after that validation.<br />
31<br />
XXXX-YYYY-SF:IFnn-SAF-TC-MAINTreset<br />
A maintenance operation might be signalled to the <strong>OS</strong>-supervision. An alarm (<strong>for</strong> a safety function)<br />
can be managed by a maintenance operator (a password is required).<br />
Once the maintenance operation is finished, this alarm can be removed by clicking a dedicated button<br />
“Maintenance mode” located in the matrix.<br />
This variable is linked to this button.<br />
32<br />
XXXX-YYYY-SF:IFnn-SAF-TC-MAINTset<br />
A maintenance operation might be signalled to the <strong>OS</strong>-supervision. An alarm (<strong>for</strong> a safety function)<br />
can be managed by a maintenance operator (a password is required).<br />
When the maintenance operation starts, this alarm can be set by clicking a dedicated button<br />
“Maintenance mode” located in the matrix.<br />
Page 89 of 95
This variable is linked to this button.<br />
33<br />
XXXX-YYYY-SF:IFnn-SAF-TC-RESET<br />
A safety function has a reset command that enables the safety function after a trip.<br />
This variable is linked to the safety function “reset button” located in the matrix.<br />
There is one reset command per safety function that resets all of the latched trips which have<br />
disappeared.<br />
34<br />
XXXX-YYYY-SF:IFnn-SAF-TM-INPUTstate<br />
This variable can have 16 possible states (maximum).<br />
The combination of the 16 states (array of 16 bool) makes the variable value.<br />
Each state is dedicated to a variable which represents the safety function inputs (trip condition).<br />
This will be used to display the <strong>OS</strong>-supervision alarms according to the safety function specification<br />
(number of inputs, outputs…).<br />
More details <strong>for</strong> this variable:<br />
INPUTstate INT bit0 memorized state of function DI1 True=Input 1 is tripped ; False=Input 1 is not tripped<br />
bit1 memorized state of function DI2 True=Input 2 is tripped ; False=Input 2 is not tripped<br />
bit2 memorized state of function DI3 True=Input 3 is tripped ; False=Input 3 is not tripped<br />
bit3 memorized state of function DI4 True=Input 4 is tripped ; False=Input 4 is not tripped<br />
bit4 AI 1 threshold reached True= A threshold on AI 1 is reached ; False = no threshold on<br />
AI 1 is reached<br />
bit5 AI 2 threshold reached True= A threshold on AI 2 is reached ; False = no threshold on<br />
AI 2 is reached<br />
bit6 AI 3 threshold reached True= A threshold on AI 3 is reached ; False = no threshold on<br />
AI 3 is reached<br />
bit7 AI 4 threshold reached True= A threshold on AI 4 is reached ; False = no threshold on<br />
AI 4 is reached<br />
bit8 spare<br />
bit9 spare<br />
bit10 spare<br />
bit11 spare<br />
bit12 spare<br />
bit13 spare<br />
bit14 spare<br />
bit15 spare<br />
35<br />
XXXX-YYYY-SF:IFnn-SAF-TM-STATE<br />
This is the safety function state given by the PLC.<br />
The variable <strong>for</strong>mat is an integer.<br />
There are three possible values :<br />
0: abnormal / unknown<br />
1: normal<br />
2: degraded<br />
3: tripped<br />
36<br />
XXXX-YYYY-SF:IFnn-SAF-TS-MAINT<br />
This is the maintenance alarm of the safety function managed by the Boolean commands […SAF-<br />
TC-MAINTset] and […SAF-TC-MAINTreset].<br />
Normally, it is used to warn the <strong>OS</strong>-supervision operator that a maintenance operation on the safety<br />
function is in progress.<br />
It has no effect on the process, but only generates a time-stamped alarm on the <strong>OS</strong>-supervision.<br />
XXXX-YYYY-SF:IFnn-SAF-TS-OVER<br />
37 This is a binary indicator of the safety function override enabling.<br />
This signal is true when at least one override is set on the safety function.<br />
Page 90 of 95
A dedicated alarm is set in the <strong>OS</strong>-supervision.<br />
XXXX-YYYY-SF:IFnn-SAF-TS-RESETrdy<br />
38 When the all condition trips are false, a Boolean variable indicates the safety function is “ready to<br />
reset”. This means that if an operator clicks the “reset button”, the safety function will be reset.<br />
XXXX-YYYY-SF:IFnn-SAF-TAGNAME<br />
39 This is the safety function name.<br />
This setting is used as a maintenance reference parameter filled from the PLC database to be<br />
displayed in the <strong>OS</strong>-supervision.<br />
Case study<br />
To illustrate the concepts above, a small case study of the implementation of a standard <strong>OS</strong> I&C function is<br />
presented.<br />
In this case study, three infrared barriers protect personnel from the process area. In the case of an intrusion, one<br />
of the three infrared barriers will be cut which will immediately alert the supervision and automatically stop the<br />
process located in the safety area.<br />
Figure A2.1: Case Study schema<br />
Page 91 of 95
The <strong>PSS</strong>-<strong>OS</strong> Safety PLC manages three digital inputs (infrared barriers) to control one digital output (process<br />
shut-down command).<br />
DI 1 Infrared barrier #1<br />
DI 2 Infrared barrier #2<br />
DI 3 Infrared barrier #3<br />
DO 1 Process shut-down command<br />
According to the above Input & Output of the case study, the <strong>PSS</strong>-<strong>OS</strong> <strong>design</strong>er will select the following variables<br />
from the <strong>OS</strong> standard function typical:<br />
Interface<br />
Connection used<br />
Function 31 32 33 38 35 37 36 34<br />
DI 1 15 14 17 18<br />
DI 2 15 14 17 18<br />
DI 3 15 14 17 18<br />
DO 1 22 19 20 21<br />
Interface Function detail:<br />
Override 29 30 24 26 27 25 28<br />
- PLC name: 99-ABC-<br />
PLC-001,<br />
- PSH name: PSH000,<br />
- Plant system: 99-Example System Name (ABC),<br />
- Plant system I&Cs: DEFG.<br />
The function identified as the interface function #7 is a safety function (SF) called “control zone”.<br />
The xml file containing the variable list corresponding to the case study specifications is shown in the table below.<br />
Caution: The following list is a partial variable table.<br />
Page 92 of 95
Table A2.2: Partial Variable Table of Case Study<br />
Page 93 of 95
APPENDIX 3 – Functional representation of <strong>OS</strong> Standard<br />
function<br />
reset<br />
R<br />
Latched<br />
Trip<br />
AI 1 value<br />
Safety threshold 1<br />
AI 1 invalidity<br />
LOGIC TEST<br />
=<br />
NOT<br />
A<br />
≥1<br />
&<br />
S<br />
Override<br />
value<br />
SEL<br />
Override<br />
mode<br />
SEL<br />
0<br />
1<br />
OUTPUT 1<br />
R<br />
Latched<br />
Trip<br />
TRUE<br />
FALSE<br />
AI n value<br />
Safety threshold n<br />
LOGIC TEST<br />
=<br />
≥1<br />
&<br />
S<br />
AI n invalidity<br />
NOT<br />
LOGIC TRIP<br />
(OR)<br />
Override<br />
mode<br />
SEL<br />
R<br />
Latched<br />
Trip<br />
MATRIX<br />
SAFETY<br />
MANAGEMENT<br />
TRUE<br />
Override<br />
value<br />
SEL<br />
0<br />
1<br />
OUTPUT 2<br />
FALSE<br />
DI 1 trip<br />
DI 1 invalidity<br />
B<br />
≥1<br />
&<br />
S<br />
NOT<br />
Override<br />
mode<br />
SEL<br />
R<br />
Latched<br />
Trip<br />
Override<br />
value<br />
SEL<br />
0<br />
1<br />
OUTPUT 3<br />
DI n trip<br />
DI n invalidity<br />
≥1<br />
&<br />
S<br />
TRUE<br />
FALSE<br />
NOT<br />
Override number<br />
Override validation<br />
override<br />
Override enable<br />
Override disable<br />
DI : [...TS-OVRenab]<br />
DO : [...TS-OVRmode]<br />
A<br />
B<br />
Figure A3.1: Functional representation schema<br />
Page 94 of 95
APPENDIX 4 – Variable Table <strong>for</strong> <strong>OS</strong> Standard Emergency<br />
Button monitoring<br />
The appendix comprises the detailed list of all variable associated with the <strong>OS</strong> Standard Emergency Button<br />
monitoring.<br />
As described above, the function can monitor a maximum of 4 buttons.<br />
Caution: The following list is a partial variable table.<br />
VARIABLE NAME DESCRIPTION FUNCTION NAME<br />
XXXX-YYYY-SF-EBnn-DI1-TS-INVALIDITY Digital input 1 - Invalidity XXXX-YYYY-SF<br />
XXXX-YYYY-SF-EBnn-DI1-TS-STATE Digital input 1 - State XXXX-YYYY-SF<br />
XXXX-YYYY-SF-EBnn-DI1-TAGNAME Digital input 1 - Name XXXX-YYYY-SF<br />
XXXX-YYYY-SF-EBnn-DI2-TS-INVALIDITY Digital input 2 - Invalidity XXXX-YYYY-SF<br />
XXXX-YYYY-SF-EBnn-DI2-TS-STATE Digital input 2 - State XXXX-YYYY-SF<br />
XXXX-YYYY-SF-EBnn-DI2-TAGNAME Digital input 2 - Name XXXX-YYYY-SF<br />
XXXX-YYYY-SF-EBnn-DI3-TS-INVALIDITY Digital input 3 - Invalidity XXXX-YYYY-SF<br />
XXXX-YYYY-SF-EBnn-DI3-TS-STATE Digital input 3 - State XXXX-YYYY-SF<br />
XXXX-YYYY-SF-EBnn-DI3-TAGNAME Digital input 3 - Name XXXX-YYYY-SF<br />
XXXX-YYYY-SF-EBnn-DI4-TS-INVALIDITY Digital input 4 - Invalidity XXXX-YYYY-SF<br />
XXXX-YYYY-SF-EBnn-DI4-TS-STATE Digital input 4 - State XXXX-YYYY-SF<br />
XXXX-YYYY-SF-EBnn-DI4-TAGNAME Digital input 4 - Name XXXX-YYYY-SF<br />
Table A4.1: Partial Variable Table of <strong>OS</strong> Standard Emergency Button Monitoring<br />
More details <strong>for</strong> each type of variable:<br />
The usage of the interface function variables is detailed in the tables below.<br />
Some variables are multiple, but only one kind of variable is described below.<br />
1<br />
XXXX-YYYY-SF:EBnn-DIx-TS-INPUTinvalid<br />
This is the <strong>PSS</strong> digital hardware safety input health signal (push button). If true, the variable means<br />
the input signal is unavailable (either because of a short-circuit or open-loop detection).<br />
This will normally raise the trip command of the CSS.<br />
This raises an alarm in the CSS-<strong>OS</strong> supervision and also in the hardware critical panel in the high<br />
integrity case.<br />
2<br />
XXXX-YYYY-SF:EBnn-DIx-TS-INPUTstate<br />
This variable is a Boolean.<br />
It is the process value of the emergency push button wired in the <strong>PSS</strong> and transmitted to the CSS to<br />
achieve the safety trip command or not.<br />
This raises an alarm in the CSS-<strong>OS</strong> supervision and also in the hardware critical panel in the high<br />
integrity case.<br />
3<br />
XXXX-YYYY-SF:EBnn-DIx-TAGNAME<br />
This is the digital input tagname.<br />
Page 95 of 95