UNICOS-like system for interlocks II Workshop on PLC-based interlocks systems ITER, Dec 2014...

UNICOS-like system for interlocks

II Workshop on PLC-based interlocks systems

ITER, Dec 2014

Jeronimo ORTOLA VIDAL

CERN Engineering Department, Industrial Controls Group

Industrial ControlsEngineering Department

2

Outline

• Current solutions• WIC, PIC, DSS

• Under study• UNICOS protection systems• UNICOS safety systems

December, 2014J. Ortola (CERN, EN/ICE)


• Warm magnet power converters interlock system• Power electrical circuits interlock system

• Based on simple Boolean conditions (matrix)• Safety and standard version for WIC.• Standard fast PLC fro PIC• UNICOS TSPP in the communication with SCADA.• UNICOS in SCADA.• Same generic code applied to all the WIC and PIC protection

system• Configuration of the interlock conditions by a configuration flies

produced externally

3December, 2014J. Ortola (CERN, EN/ICE)

WIC, PIC


DSS overview

DSS

“Detector”

Alarm-Action Matrix

Read the Sensors

Evaluate the Alarm Conditions

Set the Actuators

~1 Hz



Detector

Evaluate the Alarm Conditions

Read the Sensors

Set the Actuators

Configure

Monitor

S7 Driver

S7Driver

Operator

Display

Configuration

Interface

WinCC OA SCADA system Redundant Siemens PLC

The Back-End deals

with User Interaction

The Front-End deals

with Safety



• How does the “data-driven” approach work• The details of the Sensors, Alarms and Actuators will not be

“hardcoded” in the software. • These details, which describe the peculiarities of each system

protected by the DSS, will instead be confined into “data structures”.• The DSS software will interpret the data contained in the above

mentioned structures.• Benefits

• The software will then be identical for every DSS. • This approach automatically eliminates the risk of introducing software

bugs when the User adds new items.

Software: the data-driven approach



UCI 12291…

UCI 12289UCI 12290

“Compare” blocks

UCI 14339…

UCI 14337UCI 14338

Sub-conditions

If “A”=TRUE or “B”=TRUE or “C”=TOO_HIGH or “D”=TOO_LOW then ALARM “E”

UCI 3…

UCI 1UCI 2

Digital sensors

A = true

B = true

…

…

UCI 8193UCI 8194

Analogue sensors

UCI 10247UCI 10248

C = highD = high

C = lowD = low

delay = 2…

UCI 16421UCI 24577

Alarm-Action links

…

UCI 24579…

UCI 24577UCI 24578

Actuators

If ALARM “E” then ACTION “F” (after 2 secs.)

UCI = 1UCI = 3

UCI = 8193UCI = 10248

UCI = 0 (empty)

N = 1 (OR)

…

Alarm “E” value

UCI = 0 (empty)UCI = 0 (empty)UCI = 0 (empty)

Alarm conditions

U

C

I

1

6

4

2

1

…

Step 1: read digital sensors

Step 2: read analogue sensors and compare with thresholds

Step 5: evaluate Alarm Conditions

Step 6: look at Alarm-Action links

Step 7: set Actuator values (execute Actions)



WinCCOA DATABASE

(DATAPOINTS)

DSS EVENT MANAGER

ARCHIVE MANAGER

EMAIL MANAGER

LOG MANAGERS

ORACLE DATABASE

SMS/EMAIL

WinCCOA ARCHIVE

PLC DATABLOCKS

Front-End PLC

S7 DriverUser Interaction part

MONITOR PANELS

CONFIGURE PANELS

Parameter changes (from User) Status changes (Front-End “events”)



Many consistency checks are needed when defining an Alarm Condition

Check that, depending on the sensor values, the condition can actually be TRUE or FALSE

ex. (A too_high and A too_low) is bad

ex. (B true or B false) is bad

Check against the same sensors being reused in a redundant way

ex. (B true or B true) : maybe the User has made a mistake



Data server:• gateway to the Back-End • redundant in the Front-End communication using the native WinCCOA S7 driver

Redundancy:• up to the level of I/O interfaces• backup in case a power supply, CPU,

Profibus failure• optical link between CPU modules• step-by-step comparison inside the processing of the PLC cycle

Front-End:• Siemens S7-400 station • programmed through the Siemens STEP7 development environment• implementation and processing of the DSS Front-End Software• monitors itself

CPU crate:redundant PS

CPU 414-4HEthernet adapter

(CP 443-1) Back End:WinCCOA user interface for• display & logging• modification of the Alarm/Action-MatrixProfibus

Opt.Link

DSS COM

DataServer

WinCCOA

CERN LAN


http://images.google.com/imgres?imgurl=www.apple.com/smallbusiness/networking/resources/pc/images/pc.jpg&imgrefurl=http://www.apple.com/smallbusiness/networking/resources/pc/&h=252&w=200&prev=/images?q%3DPC%2B%26svnum%3D10%26hl%3Den%26lr%3D%26ie%3DUTF-8%26sa%3DN





• I/O modules are not redundant, but sensors

can be connected redundantly by doubling (tripling) their number.

Reliability

Single Incident Robustness:• Power supplies are redundant.

• Optical fiber break leads to stop of CPU slave.

• CPU crates are redundant.

• PROFIbus is redundant.• Communication modules are redundant.

• Power is back-up’ed by UPS. UPS failure will bypass current from main lines.






Surface

Cavern

Shaft

Optical Link

DSS COM NTP Server

CERN LAN CPUs are comfortably

separated to minimize danger of accidental damage

Experiment’s Configuration

I/O crates act as cable concentrators near sensors/actuators

Connection of both CPUs to NTP.Synchronization is better than 20ms.

Redundant cables running throughtwo cable paths.Spares for all cables are foreseen.

PROFIbus

Back-End situated in the control room.

Front-end

Control Room

Back-end

CERN LAN

14• December, 2014• J. Ortola (CERN, EN/ICE)


Experiment’s ConfigurationCavern

Surface

Shaft

Optical Link

DSS COM

PROFIbus

Functionality grouped into

“Detector Safety Units”

All DSUs are alike. Each DSU is

responsible for adistinct geographicarea.

2-4 DSUs typical,16 DSUs maximal possible per experiment.

Front-end

Control Room

Back-end

CERN LAN

15• December, 2014• J. Ortola (CERN, EN/ICE)


DSU Layout

Patch Panel Terminals to connect sensors / actuators(max. 352 digital channels OR 120 analog channels;optimum is 224 digital PLUS 64 analog channels)

Table / Drawer

Control Room Panel, Gyro & Siren (not part of a DSU)

External Crate with dedicated Monitoring Module2nd External Crate possible

Ethernet Switch for DSS COM (in DSUs with CPU crate)

CPU crate (in two DSUs)

Redundant 24V Power Supplies & Distribution ModulesFront-End Display

Gateway PC (in one DSU)

Uninterruptible Power Supply (UPS)

52 units standard )

All parts are compliant to CERN’s technical and safety requirements (by TIS).



The five installed DSSs

The five installed DSSs: some figures

ALICE ATLAS CMS CMSX LHCb

DSUs 7 7 6 10 3

Analog Sensors 322 4 6 20 82

Digital Sensors 82 582 431 1540 246

Alarm Conditions 195 581 417 520 297

Alarm->Action links ~220 ~2000 ~770 ~1850 ~1150

Actions 223 309 232 513 191



18

DSS highlights

• Five DSS systems, each running the same identical software

• Additional features• ORACLE logging of all events and configuration

modifications• Monitoring the status of the PLC system itself• Preventing configuration modifications if the

communication is not working• Sophisticated WinCCOA-based User Interface



The data-driven approach has led to• Simplicity and stability in the Critical part• Very well established interface between control

and supervision. • Reduced software development and maintenance • Independence from the data details. There is

nothing “CERN-specific”. The system can be reused “as it is” in other environments.


DSS highlights


20

Future: UNICOS-CPC protection system

• Automated generation of interlock matrix code with UAB.

• UNICOS-CPC objects (No safety functions).• Functions to evaluate the matrix

• Digital: MooN• Analog: HH, LL, equal, max, min

• Digital and Analog actuators• Online reconfiguration of matrix from SCADA• Fast interlocks (Interruption Inputs)



21

Future: UNICOS-CPC safety systems

• UNICOS-CPC for the non-safety protection • Manual development of safety functions linked to

CPC objects.


UNICOS-like system for interlocks II Workshop on PLC-based interlocks systems ITER, Dec 2014...

Documents

Transcript of UNICOS-like system for interlocks II Workshop on PLC-based interlocks systems ITER, Dec 2014...