PIS Operation and Maintenance - Iter

IDM UID 

7L9QXR 

VERSION CREATED ON / VERSION / STATUS 

24 Jan 2013 / 1.0/ Approved 

EXTERNAL REFERENCE 

Memorandum / Note 

PIS Operation and Maintenance 

This document presents a preliminary study on future operation and maintenance of the PIS 

that have impact on the design of the systems. The document is the first version of one of the 

PCDH Satellite Documents for the interlocks. 

Approval Process 

Name Action Affiliation 

Author Savouillan M. 24-Jan-2013:signed IO/DG/DIP/CHD/CSD/CDC 

CoAuthor Vergara Fernandez A. 24-Jan-2013:signed IO/DG/DIP/CHD/CSD/PCI 

Reviewers Yonekawa I. 

Wallander A. 

25-Jan-2013:recommended 

05-Feb-2013:recommended 

IO/DG/DIP/CHD/CSD/PCI 

IO/DG/DIP/CHD/CSD 

Approver Thomas P. 24-Mar-2013:approved IO/DG/DIP/CHD 

Document Security: level 1 (IO unclassified) 

RO: Vergara Fernandez Antonio 

Read Access AD: ITER, AD: External Collaborators, AD: Division - Control System Division - EXT, AD: Section - 

CODAC - EXT, AD: Section - CODAC, project administrator, RO, LG: CODAC team, LG: Interlock Gang, 

AD: Only-staff 

PDF generated on 24-Mar-2013 

DISCLAIMER : UNCONTROLLED WHEN PRINTED – PLEASE CHECK THE STATUS OF THE DOCUMENT IN IDM

Title (Uid) 

Versio 

n 

Change Log 

Latest Status Issue Date Description of Change 

PIS Operation and 

Maintenance 

(7L9QXR_v1_0) 

PIS Operation and 

Maintenance 

(7L9QXR_v0_0) 

v1.0 Approved 24 Jan 

2013 

v0.0 In Work 06 Nov 

2012 

Version for PCDH v7 

PDF generated on 24-Mar-2013 

DISCLAIMER : UNCONTROLLED WHEN PRINTED – PLEASE CHECK THE STATUS OF THE DOCUMENT IN IDM

Table of Contents 

1 Introduction .....................................................................................................................................2 

1.1 PCDH context .........................................................................................................................2 

1.2 Document Scope ....................................................................................................................2 

1.3 Acronyms................................................................................................................................3 

1.4 Related documents ................................................................................................................3 

2 Principles.........................................................................................................................................4 

3 Interlock Operation and Maintenance Actions.............................................................................4 

4 Interlock Operation and Maintenance Reliability.........................................................................5 

5 Interlock Operation and Maintenance Tools ................................................................................6 

6 Interface ICS-CODAC......................................................................................................................7 

7 Interface PIS-CIS .............................................................................................................................8 

Page 1 of 8

1 Introduction 

1.1 PCDH context 

The Plant Control Design Handbook (PCDH) [RD1] defines the methodology, standards, specifications 

and interfaces applicable to the whole life cycle of ITER plant instrumentation & control (I&C) systems. 

I&C standards are essential for ITER to: 

• Integrate all plant systems into one integrated control system. 

• Maintain all plant systems after delivery acceptance. 

• Contain cost by economy of scale. 

PCDH comprises a core document which presents the plant system I&C life cycle and recaps the main 

rules to be applied to the plant system I&Cs for conventional controls, interlocks and safety controls. 

Some I&C topics are explained in greater detail in dedicated documents associated with PCDH as 

presented in Figure 1. This document is one of them. 

PCDH core and satellite documents: v7 

PS CONTROL DESIGN 

INTERLOCK CONTROLS 

Guidelines PIS design (3PZ2D2) 

Guidelines for PIS integration & config. (7LELG4) 

Management of local interlock functions (75ZVTY) 

PIS Operation and Maintenance (7L9QXR) 

Plant system I&C architecture (32GEBH) 

Methodology for PS I&C specifications (353AZY) 

CODAC Core System Overview (34SDZ5) 

I&C CONVENTIONS 

I&C Signal and variable naming (2UT8SH) 

ITER CODAC Glossary (34QECT) 

ITER CODAC Acronym list (2LT73V) 

OCCUPATIONAL SAFETY CONTROLS 

Guidelines for PSS design 

NUCLEAR PCDH (2YNEFU) 

CATALOGUES for PS CONTROL 

Slow controllers products (333J63) 

Fast controller products (345X28) 

Cubicle products (35LXVZ) 

Integration kit for PS I&C (C8X9AE) 

Core PCDH (27LH2V) 

Plant system control philosophy 

Plant system control Life Cycle 

Plant system control specifications 

CODAC interface specifications 

Interlock I&C specification 

Safety I&C specification 

PS CONTROL DEVELOPMENT 

I&C signal interface (3299VT) 

PLC software engineering handbook (3QPL4H) 

Guidelines for fast controllers (333K4C) 

CODAC software development environment (2NRS2K) 

Guidelines for I&C cubicle configurations (4H5DW6) 

CWS case study specifications (35W299) 

PS SELF DESCRIPTION DATA 

Self description schema documentation (34QXCP) 

PS CONTROL INTEGRATION 

The CODAC -PS Interface (34V362) 

PS I&C integration plan (3VVU9W) 

ITER alarm system management (3WCD7T) 

ITER operator user interface (3XLESZ) 

Guidelines for PON archiving (87N2B7) 

PS Operating State management (AC2P4J) 

Guidelines for Diagnostic data structure (354SJ3) 

Legend 

This document 

Available and approved 

Expected 

(XXXXXX) IDM ref. 

Figure 1: PCDH documents structure 

1.2 Document Scope 

This document presents the concepts of a preliminary study of future operation and maintenance of 

the part of the plant system I&C which implements the investment protection functions (PIS) which 

have an impact on its design. The document describes the operations that will be executed from the 

Control Room and the proposed tools. It also introduces the notion of procedures for supervising 

operation and maintenance activities. 

This document does not provide the guidelines to be followed by the plant system I&C designers 

for the implementation of the interfaces with the operation and maintenance tools. These are 

described in Guidelines for PIS design [RD2] for the hardware part and in Guidelines for PIS 

Configuration and Integration [RD4] for the configuration part. 

Page 2 of 8

1.3 Acronyms 

Table 1 shows the acronyms used in this document. The relevant acronyms have been extracted 

from the complete list in PCDH. 

Acronym 

CIN 

CIS 

CODAC 

EPICS 

GOS 

HMI 

I&C 

ICS 

IO 

PCDH 

PIN 

PIS 

PLC 

PON 

PS 

PSCC 

PSH 

Item 

Central Interlock Network 

Central Interlock System 

COntrol, Data Access and Communication 

Experimental Physics and Industrial Control System 

Global Operating State 

Human Machine Interface 

Instrumentation & Control 

Interlock Control System 

ITER Organization 

Plant Control Design Handbook 

Plant Interlock Network 

Plant Interlock System 

Programmable Logic Controller 

Plant Operation Network 

Plant System 

Plant System Conventional Control 

Plant System Host 

Table 1: list of acronyms 

1.4 Related documents 

[RD1] Plant Control Design Handbook (PCDH) (ITER_D_27LH2V) 

[RD2] Guidelines for PIS Design (ITER_D_3PZ2D2) 

[RD3] Management of Local Interlock Functions (ITER_D_75ZVTY) 

[RD4] Guidelines for PIS Configuration and Integration (ITER_D_7LELG4) 

[RD5] Central Interlock System Preliminary Design (CIS P-DDD) (ITER_D_CW5PKC) 

[RS1] IEC 61508 Functional safety of electrical/electronic/programmable electronic safety-related 

systems 

[RS2] IEC 61511 Functional safety – Safety instrumented systems for the process industry sector 

Page 3 of 8

2 Principles 

The plant systems constitute the main parts of the ITER facility and will be delivered by the project 

members with their own control systems (Plant System I&Cs). The plant interlock systems are the part 

of plant system I&Cs which implement investment protection functions. 

The CODAC (Control, Data Access and Communication) system is the central (supervisory) control 

system for the conventional plant control systems of ITER. CODAC is responsible for integrating all 

plant systems I&C and enabling operation of ITER as a single integrated facility, providing overall plant 

system coordination, supervision, alarm handling, data archiving and plant visualization (HMI). 

The Central Interlock System (CIS) implements the central protection functions via the Plant Interlock 

Systems (PIS). It also provides access to the local interlock data of the various plant interlock systems. 

The Interlock Control System (ICS) is in charge of the supervision and control of all the ITER 

components involved in the instrumented protection of the tokamak and its auxiliary systems. It 

comprises the Central Interlock System (CIS), the various plant interlock systems (PIS) and its 

networks. The ICS does not include the plant system sensors and actuators but it controls them. 

3 Interlock Operation and Maintenance Actions 

Operations affecting the interlocks at ITER are classified into two main blocks: those routine operations 

executed during the daily operation of the tokamak and its associated systems, and the special ones 

carried out during commissioning or maintenance periods. 

 

Routine manual actions during machine operation: 

 

 

 

 

Monitoring of CIS and PIS status and of interlock-related process variables and 

parameters: all interlock variables and parameters required for operation of the interlock 

systems will be displayed in the control room (machine states, central and local interlock 

events and actions, sensor and final element status, results of diagnostics). 

Post Mortem analysis: All the interlock variables and parameters will be logged and 

appropriate post mortem analysis tools will be available to analyse interlock events. 

Reset (unlatch) of interlock functions, actuators and sensors: after the activation of an 

interlock function, either a central one (triggered by the CIS) or a local one (related to a 

given PIS), it is necessary to reset it before normal operation can continue. Indeed, the 

interlock system shall be designed in such a way that once it has placed the process in a 

safe state (commanding protection actions), it shall remain in the safe state until a reset has 

been initiated unless otherwise directed by specifications. The interlock system will always 

supervise that all the conditions required for safe operation are met, and will only allow the 

function to be reset as the last step after recovery from an interlock event. The reset shall 

be ignored by the system as long as the hazard (represented by a set of conditions and 

events) has not been eliminated. 

Manual activation of ‘Permits’ and ‘Inhibits’: These are operator preventive commands 

that may be implemented in order to prevent the system for operating. A ‘Permit’/’Inhibit’ is 

granted by the interlock system only if all other conditions for a safe operation are met. 

 

Special (critical) manual actions during operation, maintenance and commissioning: 

 

By-pass and masking of interlock functions, signals and actions: an interlock function is 

put in place to protect ITER from incorrect operation and other external hazards. Therefore 

the masking of an interlock function should be avoided as far as possible. However, in 

some situations during commissioning it is necessary to isolate certain systems for testing 

and thus the related interlock functions have to be by-passed, or certain interlock signals 

masked. As these operations present a potential hazard, they must be managed in a way 

that the operator is aware at all times of the particular configuration and they should be 

easy to remove. 

Page 4 of 8

Detailed system diagnostics: In order to improve maintenance activities (repair and 

preventive), detailed diagnostics must be available of hardware components (CPU, I/O 

modules…), of network status and performance and of communications links. 

Function configuration: for correct operation, an interlock function may require certain 

parameters to be provided manually, depending on the operating state of the machine or a 

given component. These parameters have a direct impact on the performance of the 

interlock function. 

Thresholds management: thresholds normally remain fixed during normal operation, but 

have to be tuned during commissioning and maintenance. A design philosophy based on 

two threshold levels is proposed: one changeable threshold to adjust to the operational 

window, and a second fixed threshold value related to the design value of the components 

or system. 

Software/firmware updates: interlock functions, controller software and firmware may 

evolve in time as a result of changing requirements or improvements. These changes 

require a full or partial stop of the system (temporary disconnection of a module while the 

others stay on-line) and imply a direct intervention in the cubicle. A verification and 

validation cycle for each interlock function will have to be completed and changes will have 

to be thoroughly tested on the test bench. 

4 Interlock Operation and Maintenance Reliability 

The Interlock Control System is a critical system with very strict reliability constraints. In order to prevent 

hardware failures, several architectural strategies are put into practice, including redundancy, high 

integrity of the components, test and maintenance policies, etc. However, a system is more commonly 

prone to failure through its weakest link: human operations. In order to protect against such operational 

errors, several aspects are considered during the design: 

 

Physical and geographical protection: 

 

 

 

Access to critical components and the performance of dangerous operations is only 

possible from certain locations. Depending on the type of intervention, it may be better 

either to centralize the actions in the Main Control Room or to only allow intervention at the 

cubicle level. 

Interlock cubicles must be easily distinguishable and use different keys to other systems’ 

cubicles. 

To avoid errors during maintenance in the field, accessible components must be kept as far 

away as possible from other systems’ components. 

 

Protections at the Human Machine Interface level: 

 

 

 

Role-based access to the system: a role-based login system manages the kind of actions 

that an operator can perform using the HMI depending on his/her expertise and rights. 

Identification and label: interlock data must be easily distinguishable and labels will permit 

the operator to be aware of the interlock classification for the monitoring data and controls 

displayed/accessible on the HMIs. 

Confirmation step: a repeat confirmation step minimizes unintentional operator commands. 

 

CIS automatic self-protection against human errors: this self-protection should cover all 

possible routine operational mistakes as well as some special cases, including: 

 

The interlock system should ignore a manual instruction from the operator if it may lead to a 

dangerous situation or if the conditions are not correct for changing its internal status (e.g. 

Page 5 of 8

equest to close the quench loop (reset) when there is still current in the coils; recovery of 

the ‘power permit’ in a power supply when cryo ‘not OK’). 

 

 

The interlock system should ignore an interlock mask when there is a dangerous machine 

status (e.g. interlock bypass not allowed during certain plasma scenarios or coil current 

levels). 

Specific self-protections will be developed for ‘routine’ operations such as unlatch or reset 

after an interlock function, or change in the GOS, to prevent any harm due to improper 

operator action. 

Other (organizational) protections are to be considered for the operation and maintenance phases: 

 

 

 

 

Procedures for operation and maintenance activities will be developed (techniques to be used, 

additional mitigation means, impact analysis, revalidation tests…). Reliable administrative 

procedures, in particular the procedures of masking interlock signals during commissioning, are 

crucial to limit and supervise the number of operations to be executed without the protection of 

the interlocks. It is proposed that an operations board/committee will be the only body 

authorized to change interlock set points. 

Operators and maintenance personnel must be trained. 

Periodic proof-tests following written procedures must be conducted to reveal dangerous 

failures undetected by diagnostics. These tests will include the sensors, the logic solvers and 

the final elements. They may also include alarms. They will be defined to reach the specified 

objectives for reliability and availability but taking into account operational constraints described 

in operation handbook. 

On activation of an interlock function, the behaviour of the interlock system will be analysed 

(cause of the false trip or cause of the trigger, correct behaviour or discrepancy with expected 

behaviour, failures of part of the interlock system). These analyses facilitate the validation of the 

triggering assumptions made during the interlock system design and they allow the periodicity 

of the proof-tests to be adjusted if required. 

5 Interlock Operation and Maintenance Tools 

Two different platforms are available for the operation of the Interlock Control System from the Control 

Room: 

 

 

A dedicated ‘Interlock Desk’, directly connected to the Central Interlock Network, and thus with 

direct access to the CIS and the PIS, is proposed. This platform will allow all kinds of tasks 

(critical and non-critical) related to the interlock system to be performed (monitoring, operation, 

configuration and management). There are two different terminals/applications: a CIS 

Supervisor and an Engineering Workstation, both connected to the CIN and using different 

computer infrastructures. Communications avoid the use of the CODAC network infrastructure 

and interfaces, and the signals or commands exchanged with this are logged in the Critical 

Interlock Logging System. This ‘Interlock Desk’ is available in both control rooms, is provided by 

CIS (PBS.46) and is addressed in detail in the CIS Preliminary DDD [RD5]. 

All generic non-critical tasks (routine-manual actions) affecting the PIS are available through 

CODAC. This platform makes use of the CODAC infrastructure, including terminals in the 

control room (EPICS) and network communications (Plant Operations Network). The plant 

systems are encouraged to process the non-critical tasks via this CODAC interface. Indeed, the 

interlock systems (PIS and CIS) always monitor that all conditions required for safe operation 

are met. With this approach, flexibility during the operation of ITER is maximized without 

compromising its integrity. As a result of the close cohabitation of conventional and interlock 

data (indicators, alarms, controls) via this interface, it is necessary to clearly identify the 

interlock data. 

Page 6 of 8

Figure 2: Functional architecture 

In any case, no human intervention in the interlock cubicles is required or authorized during normal 

operations but during maintenance, most critical actions are available from the technical cubicles. 

These are managed and regulated by administrative procedures (i.e. modification of the PLC code after 

the changes have been validated on a test bench). 

6 Interface ICS-CODAC 

For operation and maintenance actions, the interface between CODAC and the Interlock Control 

System provides two access points: 

 

Communication between CODAC and PIS. The communication link is based on the direct 

connection of the PIS to the PON network according to the Guidelines for PIS Design [RD2]. An 

EPICS interface is required in order for the PIS to communicate with CODAC. Normally the 

PSH (provided by CODAC to each plant system I&C) acts as this interface. This communication 

occurs in two ways: 

 

 

PIS -> CODAC direction: the information transmitted includes all local process variables 

generated by the different PIS that are required by CODAC for archiving and monitoring 

purposes. 

CODAC -> PIS direction: The information transmitted includes all routine-manual 

commands concerning local interlock functions (e.g. unlatching or re-arming the equipment 

after a local interlock function has been triggered). Operations allowed through this interface 

are normally demanded as a result of the triggering of a local interlock function, and 

therefore will be available from the conventional operator desk. These commands are 

supervised by the system (PIS), so they are considered non critical. This interface is also 

used for the transmission of the timing signal. 

 

Communication between CODAC and CIS. The communication link is based on the connection 

of the CIS Supervisor module (PLC) to CODAC through an EPICS interface implemented in a 

Page 7 of 8

computer called the CIS-CODAC gateway (details about this interface addressed in the PBS.46 

Preliminary DDD [RD5]). This communication can occur in two ways: 

 

 

CIS -> CODAC direction: All interlock events, actions and variables generated by CIS are 

converted into EPICS PV’s and forwarded to be archived in CODAC or to be displayed on 

CODAC terminals. 

CODAC -> CIS direction: for non-critical communications. For the exchange of manual data 

or certain commands from the operators using the conventional operator desk in the control 

room if required. CODAC development or versioning tools could be used through this 

interface. This interface is also used for the transmission of the timing signal. 

7 Interface PIS-CIS 

The interface between the PIS and the CIS concerns three functions: 

 

 

 

Interface with CIS modules that implement central interlock functions (PLC or fast controllers). 

The data to be exchanged are mainly the PIS events, the PIS actions and the CIS actions. 

Interface with the CIS Supervisor module (PLC) that is in charge of the CIS interfaces with 

CODAC, with the CIS Supervisor (HMI) and with the Critical Interlock Logging System. The 

critical interlock data already forwarded to the CIS modules to implement central interlock 

functions will be displayed on the CIS Supervisor (HMI) and logged in the Critical Interlock 

Logging System by the connection of the CIS modules to the CIS Supervisor module (PLC) 

inside PBS.46 scope. Therefore it will not be forwarded a second time by the PIS. All the other 

interlock data including resets will be forwarded to the CIS Supervisor module (PLC) to be 

displayed or operated from the CIS Supervisor (HMI) and to be logged in the Critical Interlock 

Logging System. Moreover the CIS Supervisor Module (PLC) is also responsible for the 

propagation of the GOS to the PIS. 

Interface with the Engineering Workstation: The engineering workstations enable the software 

and configuration of the controllers and networks to be directly monitored from the control 

rooms through the proprietary controller software. The PIS shall authorize these connections. 

Page 8 of 8

PIS Operation and Maintenance - Iter

Create successful ePaper yourself

Delete template?

Save as template?