- Email: [email protected]
IFMIF-DONES Central instrumentation and control systems: General overview
Fusion Engineering and Design 146 (2019) 2682–2686
Contents lists available at ScienceDirect
Fusion Engineering and Design journal homepage: www.elsevier.com/locate/fusengdes
IFMIF-DONES Central instrumentation and control systems: General overview
T
⁎
Mauro Cappellia, , Cristina Centiolia, Carlo Neria, Chiara Montia, Angel Ibarrab a b
ENEA Fusion and Nuclear Safety Department, C. R. Frascati via E. Fermi 45, 00044, Frascati Roma, Italy CIEMAT, Fusion Technology Division, Avda. Complutense, 40, Madrid, 28040, Spain
A R T I C LE I N FO
A B S T R A C T
Keywords: Ifmif Dones Control system Demo Materials Neutrons
Purpose of this work is to describe the Central Instrumentation and Control Systems for the International Fusion Materials Irradiation Facility-DEMO Oriented NEutron Source. A functional definition of the main systems is given, together with a general overview of the current status of the Central Instrumentation and Control Systems and the differences with respect to the corresponding system developed during the previous phases. The overall architecture of the Central Instrumentation and Control Systems (definitions, functions and requirements), the identification of subsystems and equipment, the control system design guidelines, and the Control Room requirements, are here described. Moreover, the Local Instrumentation and Control Subsystems is defined together with its relationship with the Central Instrumentation and Control Systems.
1. Introduction Qualification of materials is a crucial step in the development process of a fusion power plant. All components exposed to high-energy radiation must withstand a harsh environment with severe operational conditions. The availability of a fusion-relevant neutron source is therefore of uttermost importance in order to understand the material degradation under the neutron bombardment during the lifetime of a fusion reactor [1]. In particular, this is a necessary requirement to a safe design for the DEMOnstration Fusion Reactor (DEMO), whose in-vessel materials will be exposed to neutron fluxes up to 5 × 1018 m−2 s−1 with a peak energy of 14.1 MeV, which could produce a displacement damage in excess of 10 dpa per year of operation [2]. To attack the problem, the EU supported the development of a Li(d,nx) neutron source called IFMIF-DONES (International Fusion Materials Irradiation Facility-DEMO Oriented NEutron Source) through the EUROfusion Work Package Early Neutron Source (WPENS) in collaboration with F4E Agency. The IFMIF-DONES project arises from the experience and results obtained in the IFMIF-EVEDA (IFMIF-Engineering Validation and Engineering Design Activities) project conducted in the framework of the bilateral EU-Japan Broader Approach Agreement [3,4]. The final goal of the IFMIF-DONES Plant [5], an accelerator-based neutron source where a high-energy deuterons (D+) beam is focused on a fast flowing liquid lithium (Li) jet [8], is to produce high-energy neutrons via D-Li stripping reactions with intensity and irradiation volume
⁎
sufficient to generate material irradiation test data for design, licensing, construction and safe operation of DEMO whose main characteristics are defined by the EU Roadmap [6,7]. A sketch of the current IFMIFDONES Plant configuration is shown in Fig. 1. Five major groups of systems have been identified: Accelerator Systems; Lithium Systems; Test Systems; Plant Systems, and Central Instrumentation and Control Systems. The Accelerator Systems include all the systems and components for the generation, acceleration and shape of a 5 MW deuteron beam (125 mA, 40 MeV), with a rectangular cross section of 100 or 200 mm × 50 mm, impinging on the free surface liquid lithium target (25 mm thick, 260 mm wide), which cross-flows at 15 m/s. The stripping reactions generate neutrons interacting with the materials samples enclosed in the High Flux Test Module (HFTM) behind the lithium target. The Test Systems house the test samples behind the lithium target and controlling the conformity of the irradiation conditions with the requirements. They include the HFTM, the Start-up Monitoring Module (STUMM) and the closed cavity or Test Cell (TC) housing the lithium target and the test modules. The Lithium Systems are composed of three main systems: the Target System (accelerating, shaping and positioning the lithium jet); the Heat Removal System (removal of the produced heat through different heat exchangers); the Impurity Control System (a branch line for the extraction of a fraction of the lithium from the main loop and its re-injection after purification and impurity analysis). General services supporting the whole plant are included in the
Corresponding author. E-mail address: [email protected] (M. Cappelli).
https://doi.org/10.1016/j.fusengdes.2019.04.084 Received 8 October 2018; Received in revised form 23 April 2019; Accepted 25 April 2019 Available online 31 May 2019 0920-3796/ © 2019 EUROfusion Consortium. Published by Elsevier B.V. All rights reserved.
Fusion Engineering and Design 146 (2019) 2682–2686
M. Cappelli, et al.
Fig. 1. IFMIF-DONES Plant configuration.
leading to a strong simplification in terms of control laws and interface signals. As a consequence, there are no single facilities like in IFMIF (namely, Accelerator Facility, Lithium Facility and Test Facility), with their own I&C system. In the DONES design each of the physical systems in the Accelerator Systems, Lithium Systems, Test Systems, Plant Systems has a direct connection with the CICS. It should be observed that in this paper the formal nomenclature adopted in the IFMIF-DONES Project is used. In particular, the use of the word system deserves to be better explained in order to avoid misleading interpretations. The expression control system is used in this paper in two ways. In the strict sense, it is used as a formal definition of a system as defined in the correspondent Product Breakdown Structure (PBS): the initial uppercase letter is used to indicate this formal definition. Hence, Control Systems is the formal definition of DONES Systems associated to the overall plant control functions. Control System means one of the three main control systems associated with data, protection and safety functions, respectively. In the wide sense, control system is used to refer to the generic meaning of control system as considered in the mainstream literature, i.e. a set of devices that regulates variables by way of control loops.
so-called Plant Systems (Heating, Ventilation and Air Conditioning (HVAC); Heat Rejection; Electrical Power; Service Water and Service Gas; Radioactive Waste Treatment and Gas Radioactive Waste Treatment; Fire Protection). Finally, the Instrumentation and Control (I &C) System, which is the object of this paper and described in detail hereafter. A comprehensive description of the IFMIF-DONES design is included in [5,6,9].
2. The Central instrumentation and control systems (CICS) 2.1. Overview The DONES I&C System is designed with a hierarchical structure, starting from the top level, the Central Instrumentation and Control Systems (CICS), down to the Local Instrumentation and Control Subsystems (LICS) level [10,11]. The DONES I&C System, composed of completely different systems with independent complex functions, adopts a distributed control approach conferring autonomy to each of the systems to manage the single control loops implemented at the LICS level. At the same time, a central control is given to the CICS in order to supervise and control the entire local I&C subsystems. The CICS guarantees the global control of the DONES plant. It is in charge of managing, monitoring and controlling all the plant parameters and variables, and the data storage and visualization. It is mainly based on a set of supervisory systems that guarantee a continuous, bidirectional communication with the LICS, and at the same time in real-time (networking) communication with other (sub) systems. The LICS are in charge of the control of every subsystem and component in order to guarantee that all process variables are maintained inside the required range. Compared to the IFMIF/EVEDA approach [3,4,10], the DONES Control System has been conceived on a different basis. The structure has been simplified following a current trend in similar plants (see for example the ITER case, as in [12,13], or other modern tokamak designs [14,15]), featuring only two levels: the Central I&C Systems and the Local I&C Subsystems, whose interaction is managed by means of interface networks and buses. No intermediate levels are needed, thus
2.2. CICS General architecture The CICS consists of three systems: COntrol Data Access and Communication (CODAC) System; Machine Protection System (MPS); Safety Control System (SCS). Each system at the central level is in a continuous, bidirectional communication with the corresponding system at the local level by means of dedicated instrumentation and control networks and/or buses: CODAC Network, Interlock Bus Network, and Safety Network (Fig. 2). Each of the three Control Systems is composed by several independent Subsystems (Fig. 3). 2.3. COntrol, data access and communication (CODAC) system The COntrol, Data Access and Communication System (CODAC) 2683
Fusion Engineering and Design 146 (2019) 2682–2686
M. Cappelli, et al.
each transition back to the CICS. The overall time sequence of operation is centrally controlled by the timing signal from the Timing Subsystem (TS). The TS sends master clock signal to the TS gateway of each System to synchronize all the clocks of the Plant. The Data Management (DM) Subsystem is responsible of archiving process information and system information. Each of the LICS is able to send acquired or processed information to the CICS in raw data. The Operator User Interface is based on the Human-Machine Interface (HMI) Subsystem, implemented in the operator console in order to permit the user to monitor, supervise and control all relevant processes. The aim of the operator user interface is to facilitate effective operation and control of the plant systems and subsystems. The interface supports the operator in operational decisions and is based on graphics and animations used for the feedback information from the process. The purpose of the Alarms and Warnings (AW) Subsystem is to provide information to the operators through a CODAC system service for fault diagnosis and correction. The fundamental aim of alarms is to alert the operator in the event of deviations or anomalies from normal operating conditions, with the ultimate objective to prevent, or at least minimize, physical and economic losses by means of the operator intervention in response to the alarm condition.
Fig. 2. DONES I&C SYSTEMS: General First Level Architecture.
2.4. Machine protection subsystem (MPS) The Machine Protection System (MPS) is in charge of implementing all the investment protection strategies at the different plant levels, ensuring plant protection against failures of the system or equipment components, failures of the central and/or local control systems, incorrect operation by means of dedicated sensors, controllers and actuators. The MPS is designed according to the IEC-61508 reference standard. The MPS can be designed as a two level architecture (Fig. 4): the Central Machine Protection System (CMPS), for the implementation of plant-wide protection actions, and the Local Machine Protection System (LMPS), for handling local protection events. The MPS has an interface to the CICS for coordination and data handling. Communication among the CMPS and the LMPS will be performed through dedicated networks. The main system functionalities of the CMPS are: receive the interlock events from local LMPS; coordinate and transmit the interlock actions to local LMPS; provide warning threshold information; inform the operator about the status of all the LMPS; enable operator actions, like permits, resets and overrides; log all the data related to the interlock function being performed; interface the CICS for monitoring purposes and to archive data. The LMPS main system functions are: detect the interlock events; execute interlock actions, either standalone or commanded by CMPS; inform the CMPS on the occurrence of the local events/actions. From a general perspective, the interlock actions can be divided in two classes as a function of the response time: fast interlocks (from 300 ms to less than 30 μs) and slow interlocks (above 300 ms). The MPS will rely on a set of critical monitors to trigger the interlock events. The most relevant are Beam
Fig. 3. DONES I&C SYSTEMS: General Second Level Architecture.
coordinates DONES’s Systems, orchestrating their operation, and gathering and archiving data the DONES plant produces. CODAC is in charge of managing (by supervision and control) the normal operation of the Systems and must prevent the MPS from being triggered. CODAC System has been designed as a two-level architecture: (1) the Central CODAC System that coordinates control and monitoring across the LICS; (2) the Local CODAC System which is the element in each Local System that provides control during normal operation. The role of the CODAC System is to ensure coordination of all the physical systems, configuring them, synchronising their functions and retrieving their data. Further functionalities are: monitoring of the LICS; displaying of the LICS status to operators; preparation and automation of scheduled operations; data recovering from the LICS; experimental data acquisition and storage; alarms and warnings handling. The Supervision and Central Control (SCC) Subsystem receives the information necessary for operation of the DONES Plant from the local subsystems. The status of the Plant operation will be displayed on the Central Control Console of the SCC. Each of the LICS receives low-level commands as well as highlevel commands from the CICS that result in multiple commands toward the process. The LICS are responsible of the interpretation of the high-level command and transform it into multiple unitary commands, to control their execution and to send back the execution status to the CICS. For state machines, the LICS shall send an execution status for
Fig. 4. Pictorial view of the MPS architecture. 2684
Fusion Engineering and Design 146 (2019) 2682–2686
M. Cappelli, et al.
2.7. Central control room requirements
Loss Monitors (BLoMs), Level gauges, Li leak and pressure sensors, Pressure sensors, Strain gauge/thermocouples, Fission chambers in the Test, Radiation monitors.
A single Central Control Room (CCR) is foreseen for the DONES CICS. The CCR is the central area for all routine operations and control functions that are associated with the plant activities, including facilities control and management. It is provided with network links (> 10 Gb/s) to all networks. Control or configuration of all systems is only made from this CCR during the plant operation; in case of standalone system or local system operation, control of individual systems can be made from the related local control panels. CICS HMI and workstations shall be located in the CCR. The CCR shall have a dedicated Safety Important Component/ Protection Important Component (SIC/PIC) monitoring area, hosting the safety desks for all facilities. The safety desk will be staffed by one of the shift technicians. All the characteristics of the CCR are widely reported in [9].
2.5. Safety control system (SCS) The Safety Control System (SCS) is a dedicated nuclear-class protection system devoted to the implementation of all the identified protection functions regarding the personnel or the environment. It is implemented in an independent and dedicated architecture, minimizing the interactions with the conventional system. The SCS coordinates the individual protections provided by the Safety Procedures, enables manual control by the operator and displays data required for the operator supervision and control. The SCS is mainly composed by four Subsystems. The Plant Safety Subsystem (PSS) is based on a hierarchical architecture, which implements two local functions and central functions, according to the general I&C architecture. In a local safety function the safety feedback loop (i.e. sensor detection of an event and subsequent safety action by the actuator) is performed within a single LICS. The function is executed locally and autonomously inside the local safety system and monitoring data are sent to the correspondent safety HMI in dedicated control-room consoles. In a central safety function the safety feedback loop is performed by different LICS. Once the event has been individuated by one of the LICS, it is immediately communicated to the CICS, which then commands one or more LICS to perform the corrective action according to safety procedures. Monitoring data containing all the relevant results are sent to the correspondent safety HMI in dedicated control-room consoles. The Occupational Safety Subsystem (OSS) provides I&C Safety functions for the protection of people against all conventional hazards (toxicological, physical, electrical, cryogenic or other), produced inside the plant in normal and abnormal circumstances. The safety functions can be implemented either locally or centrally by means of different protection systems (local passive systems, local hardwired systems, local programmable systems, central programmable systems). The system is based on the personnel and zone classification with respect to the level of hazard. Exposure to ionizing radiation imposes that this subsystem will be in tight connection with the Personal Access Safety Subsystem (PASS) and the Radiation Monitoring System for the Environment and Safety (RAMSES). The PASS has the objective of implementing all the actions ensuring the safety of the people in specific areas generating safety risks. The access safety functions related to occupational risks are implemented in the OSS using the same requirements. Access safety functions are for example stopping hazardous equipment or devices in case of intrusion, or banning access on detection of a risk. Typical access statuses will be defined for the access to the main experimental room (e.g. free, controlled, warning, pre-pulse, pulse-on). The RAMSES objective is to keep the radiation doses of workers as low as practically possible, not exceeding the dose limits set. As a consequence it contributes to the protection of the personnel in radiation-controlled areas by permanently dose rates monitoring and comparison with alarm levels. In case of excessive dose levels, RAMSES is responsible of the activation of evacuation alarms and interlocks.
3. Local instrumentation and control subsystems (LICS) The LICS are designed to be in charge of the control of every subsystem and component in order to guarantee that all process variables are maintained inside the required range. The raw signal data acquired by the LICS are processed and converted into process variables compatible with the selected framework and then made available through the whole plant. Typically, the I&C Systems include at each hierarchical level a HMI and operational monitoring functions (if required). The graphical engine of the distributed control system toolkit (e.g. EPICS [16]), runs in the same servers where process variables are stored. At the local layer, vendor or technology specific SCADA can be used for particular operations during commissioning, calibration, maintenance, etc. Control systems at different hierarchical levels are interfaced by Ethernet Local Area Networks (LANs) communicating through the common control software in order to allow communications between different hardware platforms. Local control systems could use a particular network or fieldbus depending on specific commercially available controllers. However, these local systems with non-standard communication protocols should have an interface system to allow communications between different control systems. The Local CODAC Controllers (LCC) are connected to the field sensors and actuators in order to acquire data and perform local control logics. Local Controllers work in normal operation, including the execution of non-safety interlocks. Each Local Controller is in charge of executing operations only on a single, well-defined LICS sub-system. The Local Interlock Controllers (LIC) are connected to dedicated field sensors and actuators in order to acquire data and perform local safety-related interlock logics. Each LIC is in charge of protecting only a single, well-defined LICS sub-system. Generally, an Interlock Controller should be a SIL3/SIL2 controller dedicated to interlocks and units that have been hardwired for higher performance. The Local Safety Controllers (LSC) are related to the following specific tasks: plant safety, occupational safety, personal access safety, radiation monitoring. This class can include a heterogeneous set of devices: controllers, hardwired units, smart sensors, etc. All local components are housed in local I&C cubicles. Each local I& C cubicle embed all I&C components (fast and slow controllers, switches, signal I/O interfaces).
2.6. Hardware and software implementation
4. Conclusions
The complete control architecture is implemented as a real-time distributed control system based on open source software tools, libraries and applications. Robust control hardware is used: programmable logic controllers (PLC), programmable automation controllers (PAC), and industrial PCs (IPC) high performances devices, e.g. Field Programmable Gate Arrays (FPGA). The communication is based on multi-control/supervisory networks (Ethernet and fibre optic 10 Gigabit Ethernet) for controlling and monitoring the full plant operation and status (a possible example is given in Fig. 5 using COTS components).
The first step of the IFMIF-DONES Design has been achieved within the EUROfusion Work Package ENS as a first step to move towards the completion of the design of a European DEMO-oriented neutron source whose construction is planned in early 2020s. A presentation of the general architecture of the DONES CICS has been presented here taking into account the current plant design and the state of the art of similar I &C projects (namely, ITER). The new architecture seems to be simpler and more effective in managing signals and interface and reduce the 2685
Fusion Engineering and Design 146 (2019) 2682–2686
M. Cappelli, et al.
Fig. 5. (a) A possible example using COTS components (e.g. National Instruments®, Siemens®, Netgear®) of a machine protection architecture with programmable logic controllers in redundant configuration: (b) FPGA-based architecture for local protection functions. It should be noted that possible references to specific commercial components are here indicated only for illustrative purpose.
need of duplication of control logics in different layers. A detailed definition has been given in terms of philosophy, strategy and functionality of the CICS. The different role of CICS and LICS has been also underlined. Main features of the CICS CODAC System have been presented, which can be considered as a consolidated basis for the development of more detailed design. To the MPS and SCS a specific study will be dedicated, due to the need of a homogenization with the safety requirements of the final implementation.
[3] The IFMIF/EVEDA Integrated Project Team, IFMIF Intermediate Engineering Design Report, available on request at (2013) [email protected]. [4] A. Ibarra, et al., A stepped approach from IFMIF/EVEDA toward IFMIF, Fusion Sci. Technol. 66 (2014) 252–259. [5] A. Ibarra, et al., DONES Conceptual Design Report, (2018) available on request to the corresponding author. [6] F. Romanelli, et al., Fusion Electricity, A Roadmap to the Realization of Fusion Energy, EFDA, 2012. [7] T. Donné, et al., European Research Roadmap to the Realisation of Fusion Energy, ISBN 978-3-00-061152-0 EUROfusion Consortium, 2018. [8] A. Ibarra, et al., The IFMIF-DONES project: preliminary engineering design, Nucl. Fusion 58 (2018) 105002. [9] D. Bernardi, et al., Towards the EU fusion-oriented neutron source: the preliminary engineering design of IFMIF-DONES, Fus. Eng. Design (2019) Available online 7 January. [10] M. Cappelli, et al., ENS-3.6.1.1-T13-N1, (2017) available on request to the corresponding author. [11] M. Cappelli, ENS-3.6.1.1-T15-11-N1, (2017) available on request to the corresponding author. [12] ITER Instrumentation and Control System – PRIMER (ITER_ID: 32J454 v1.1), (2010). [13] W. Davis, et al., Current status of ITER I&C system as integration begins, Fus. Eng. Design 112 (2016) 788–795. [14] M. Park, et al., Overview of KSTAR integrated control system, Nucl. Eng. Tech. 40 (October (6)) (2008). [15] J.G. Krom, The evolution of control and data acquisition at JET, Fusion Engin. and Design 43 (1999) 265–273. [16] http://www.aps.anl.gov/epics/.
Acknowledgements This work has been carried out within the framework of the EUROfusion Consortium and has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement number 633053. The views and opinions expressed herein do not necessarily reflect those of the European Commission. References [1] D. Stork, et al., Towards a programme of testing and qualification for structural and plasma-facing materials in fusion neutron environments, Nucl. Fusion 57 (2017). [2] G. Federici, et al., DEMO design activity in Europe: progress and updates, Fus. Eng. Design 136 (2018) 729–741.
2686
Contents lists available at ScienceDirect
Fusion Engineering and Design journal homepage: www.elsevier.com/locate/fusengdes
IFMIF-DONES Central instrumentation and control systems: General overview
T
⁎
Mauro Cappellia, , Cristina Centiolia, Carlo Neria, Chiara Montia, Angel Ibarrab a b
ENEA Fusion and Nuclear Safety Department, C. R. Frascati via E. Fermi 45, 00044, Frascati Roma, Italy CIEMAT, Fusion Technology Division, Avda. Complutense, 40, Madrid, 28040, Spain
A R T I C LE I N FO
A B S T R A C T
Keywords: Ifmif Dones Control system Demo Materials Neutrons
Purpose of this work is to describe the Central Instrumentation and Control Systems for the International Fusion Materials Irradiation Facility-DEMO Oriented NEutron Source. A functional definition of the main systems is given, together with a general overview of the current status of the Central Instrumentation and Control Systems and the differences with respect to the corresponding system developed during the previous phases. The overall architecture of the Central Instrumentation and Control Systems (definitions, functions and requirements), the identification of subsystems and equipment, the control system design guidelines, and the Control Room requirements, are here described. Moreover, the Local Instrumentation and Control Subsystems is defined together with its relationship with the Central Instrumentation and Control Systems.
1. Introduction Qualification of materials is a crucial step in the development process of a fusion power plant. All components exposed to high-energy radiation must withstand a harsh environment with severe operational conditions. The availability of a fusion-relevant neutron source is therefore of uttermost importance in order to understand the material degradation under the neutron bombardment during the lifetime of a fusion reactor [1]. In particular, this is a necessary requirement to a safe design for the DEMOnstration Fusion Reactor (DEMO), whose in-vessel materials will be exposed to neutron fluxes up to 5 × 1018 m−2 s−1 with a peak energy of 14.1 MeV, which could produce a displacement damage in excess of 10 dpa per year of operation [2]. To attack the problem, the EU supported the development of a Li(d,nx) neutron source called IFMIF-DONES (International Fusion Materials Irradiation Facility-DEMO Oriented NEutron Source) through the EUROfusion Work Package Early Neutron Source (WPENS) in collaboration with F4E Agency. The IFMIF-DONES project arises from the experience and results obtained in the IFMIF-EVEDA (IFMIF-Engineering Validation and Engineering Design Activities) project conducted in the framework of the bilateral EU-Japan Broader Approach Agreement [3,4]. The final goal of the IFMIF-DONES Plant [5], an accelerator-based neutron source where a high-energy deuterons (D+) beam is focused on a fast flowing liquid lithium (Li) jet [8], is to produce high-energy neutrons via D-Li stripping reactions with intensity and irradiation volume
⁎
sufficient to generate material irradiation test data for design, licensing, construction and safe operation of DEMO whose main characteristics are defined by the EU Roadmap [6,7]. A sketch of the current IFMIFDONES Plant configuration is shown in Fig. 1. Five major groups of systems have been identified: Accelerator Systems; Lithium Systems; Test Systems; Plant Systems, and Central Instrumentation and Control Systems. The Accelerator Systems include all the systems and components for the generation, acceleration and shape of a 5 MW deuteron beam (125 mA, 40 MeV), with a rectangular cross section of 100 or 200 mm × 50 mm, impinging on the free surface liquid lithium target (25 mm thick, 260 mm wide), which cross-flows at 15 m/s. The stripping reactions generate neutrons interacting with the materials samples enclosed in the High Flux Test Module (HFTM) behind the lithium target. The Test Systems house the test samples behind the lithium target and controlling the conformity of the irradiation conditions with the requirements. They include the HFTM, the Start-up Monitoring Module (STUMM) and the closed cavity or Test Cell (TC) housing the lithium target and the test modules. The Lithium Systems are composed of three main systems: the Target System (accelerating, shaping and positioning the lithium jet); the Heat Removal System (removal of the produced heat through different heat exchangers); the Impurity Control System (a branch line for the extraction of a fraction of the lithium from the main loop and its re-injection after purification and impurity analysis). General services supporting the whole plant are included in the
Corresponding author. E-mail address: [email protected] (M. Cappelli).
https://doi.org/10.1016/j.fusengdes.2019.04.084 Received 8 October 2018; Received in revised form 23 April 2019; Accepted 25 April 2019 Available online 31 May 2019 0920-3796/ © 2019 EUROfusion Consortium. Published by Elsevier B.V. All rights reserved.
Fusion Engineering and Design 146 (2019) 2682–2686
M. Cappelli, et al.
Fig. 1. IFMIF-DONES Plant configuration.
leading to a strong simplification in terms of control laws and interface signals. As a consequence, there are no single facilities like in IFMIF (namely, Accelerator Facility, Lithium Facility and Test Facility), with their own I&C system. In the DONES design each of the physical systems in the Accelerator Systems, Lithium Systems, Test Systems, Plant Systems has a direct connection with the CICS. It should be observed that in this paper the formal nomenclature adopted in the IFMIF-DONES Project is used. In particular, the use of the word system deserves to be better explained in order to avoid misleading interpretations. The expression control system is used in this paper in two ways. In the strict sense, it is used as a formal definition of a system as defined in the correspondent Product Breakdown Structure (PBS): the initial uppercase letter is used to indicate this formal definition. Hence, Control Systems is the formal definition of DONES Systems associated to the overall plant control functions. Control System means one of the three main control systems associated with data, protection and safety functions, respectively. In the wide sense, control system is used to refer to the generic meaning of control system as considered in the mainstream literature, i.e. a set of devices that regulates variables by way of control loops.
so-called Plant Systems (Heating, Ventilation and Air Conditioning (HVAC); Heat Rejection; Electrical Power; Service Water and Service Gas; Radioactive Waste Treatment and Gas Radioactive Waste Treatment; Fire Protection). Finally, the Instrumentation and Control (I &C) System, which is the object of this paper and described in detail hereafter. A comprehensive description of the IFMIF-DONES design is included in [5,6,9].
2. The Central instrumentation and control systems (CICS) 2.1. Overview The DONES I&C System is designed with a hierarchical structure, starting from the top level, the Central Instrumentation and Control Systems (CICS), down to the Local Instrumentation and Control Subsystems (LICS) level [10,11]. The DONES I&C System, composed of completely different systems with independent complex functions, adopts a distributed control approach conferring autonomy to each of the systems to manage the single control loops implemented at the LICS level. At the same time, a central control is given to the CICS in order to supervise and control the entire local I&C subsystems. The CICS guarantees the global control of the DONES plant. It is in charge of managing, monitoring and controlling all the plant parameters and variables, and the data storage and visualization. It is mainly based on a set of supervisory systems that guarantee a continuous, bidirectional communication with the LICS, and at the same time in real-time (networking) communication with other (sub) systems. The LICS are in charge of the control of every subsystem and component in order to guarantee that all process variables are maintained inside the required range. Compared to the IFMIF/EVEDA approach [3,4,10], the DONES Control System has been conceived on a different basis. The structure has been simplified following a current trend in similar plants (see for example the ITER case, as in [12,13], or other modern tokamak designs [14,15]), featuring only two levels: the Central I&C Systems and the Local I&C Subsystems, whose interaction is managed by means of interface networks and buses. No intermediate levels are needed, thus
2.2. CICS General architecture The CICS consists of three systems: COntrol Data Access and Communication (CODAC) System; Machine Protection System (MPS); Safety Control System (SCS). Each system at the central level is in a continuous, bidirectional communication with the corresponding system at the local level by means of dedicated instrumentation and control networks and/or buses: CODAC Network, Interlock Bus Network, and Safety Network (Fig. 2). Each of the three Control Systems is composed by several independent Subsystems (Fig. 3). 2.3. COntrol, data access and communication (CODAC) system The COntrol, Data Access and Communication System (CODAC) 2683
Fusion Engineering and Design 146 (2019) 2682–2686
M. Cappelli, et al.
each transition back to the CICS. The overall time sequence of operation is centrally controlled by the timing signal from the Timing Subsystem (TS). The TS sends master clock signal to the TS gateway of each System to synchronize all the clocks of the Plant. The Data Management (DM) Subsystem is responsible of archiving process information and system information. Each of the LICS is able to send acquired or processed information to the CICS in raw data. The Operator User Interface is based on the Human-Machine Interface (HMI) Subsystem, implemented in the operator console in order to permit the user to monitor, supervise and control all relevant processes. The aim of the operator user interface is to facilitate effective operation and control of the plant systems and subsystems. The interface supports the operator in operational decisions and is based on graphics and animations used for the feedback information from the process. The purpose of the Alarms and Warnings (AW) Subsystem is to provide information to the operators through a CODAC system service for fault diagnosis and correction. The fundamental aim of alarms is to alert the operator in the event of deviations or anomalies from normal operating conditions, with the ultimate objective to prevent, or at least minimize, physical and economic losses by means of the operator intervention in response to the alarm condition.
Fig. 2. DONES I&C SYSTEMS: General First Level Architecture.
2.4. Machine protection subsystem (MPS) The Machine Protection System (MPS) is in charge of implementing all the investment protection strategies at the different plant levels, ensuring plant protection against failures of the system or equipment components, failures of the central and/or local control systems, incorrect operation by means of dedicated sensors, controllers and actuators. The MPS is designed according to the IEC-61508 reference standard. The MPS can be designed as a two level architecture (Fig. 4): the Central Machine Protection System (CMPS), for the implementation of plant-wide protection actions, and the Local Machine Protection System (LMPS), for handling local protection events. The MPS has an interface to the CICS for coordination and data handling. Communication among the CMPS and the LMPS will be performed through dedicated networks. The main system functionalities of the CMPS are: receive the interlock events from local LMPS; coordinate and transmit the interlock actions to local LMPS; provide warning threshold information; inform the operator about the status of all the LMPS; enable operator actions, like permits, resets and overrides; log all the data related to the interlock function being performed; interface the CICS for monitoring purposes and to archive data. The LMPS main system functions are: detect the interlock events; execute interlock actions, either standalone or commanded by CMPS; inform the CMPS on the occurrence of the local events/actions. From a general perspective, the interlock actions can be divided in two classes as a function of the response time: fast interlocks (from 300 ms to less than 30 μs) and slow interlocks (above 300 ms). The MPS will rely on a set of critical monitors to trigger the interlock events. The most relevant are Beam
Fig. 3. DONES I&C SYSTEMS: General Second Level Architecture.
coordinates DONES’s Systems, orchestrating their operation, and gathering and archiving data the DONES plant produces. CODAC is in charge of managing (by supervision and control) the normal operation of the Systems and must prevent the MPS from being triggered. CODAC System has been designed as a two-level architecture: (1) the Central CODAC System that coordinates control and monitoring across the LICS; (2) the Local CODAC System which is the element in each Local System that provides control during normal operation. The role of the CODAC System is to ensure coordination of all the physical systems, configuring them, synchronising their functions and retrieving their data. Further functionalities are: monitoring of the LICS; displaying of the LICS status to operators; preparation and automation of scheduled operations; data recovering from the LICS; experimental data acquisition and storage; alarms and warnings handling. The Supervision and Central Control (SCC) Subsystem receives the information necessary for operation of the DONES Plant from the local subsystems. The status of the Plant operation will be displayed on the Central Control Console of the SCC. Each of the LICS receives low-level commands as well as highlevel commands from the CICS that result in multiple commands toward the process. The LICS are responsible of the interpretation of the high-level command and transform it into multiple unitary commands, to control their execution and to send back the execution status to the CICS. For state machines, the LICS shall send an execution status for
Fig. 4. Pictorial view of the MPS architecture. 2684
Fusion Engineering and Design 146 (2019) 2682–2686
M. Cappelli, et al.
2.7. Central control room requirements
Loss Monitors (BLoMs), Level gauges, Li leak and pressure sensors, Pressure sensors, Strain gauge/thermocouples, Fission chambers in the Test, Radiation monitors.
A single Central Control Room (CCR) is foreseen for the DONES CICS. The CCR is the central area for all routine operations and control functions that are associated with the plant activities, including facilities control and management. It is provided with network links (> 10 Gb/s) to all networks. Control or configuration of all systems is only made from this CCR during the plant operation; in case of standalone system or local system operation, control of individual systems can be made from the related local control panels. CICS HMI and workstations shall be located in the CCR. The CCR shall have a dedicated Safety Important Component/ Protection Important Component (SIC/PIC) monitoring area, hosting the safety desks for all facilities. The safety desk will be staffed by one of the shift technicians. All the characteristics of the CCR are widely reported in [9].
2.5. Safety control system (SCS) The Safety Control System (SCS) is a dedicated nuclear-class protection system devoted to the implementation of all the identified protection functions regarding the personnel or the environment. It is implemented in an independent and dedicated architecture, minimizing the interactions with the conventional system. The SCS coordinates the individual protections provided by the Safety Procedures, enables manual control by the operator and displays data required for the operator supervision and control. The SCS is mainly composed by four Subsystems. The Plant Safety Subsystem (PSS) is based on a hierarchical architecture, which implements two local functions and central functions, according to the general I&C architecture. In a local safety function the safety feedback loop (i.e. sensor detection of an event and subsequent safety action by the actuator) is performed within a single LICS. The function is executed locally and autonomously inside the local safety system and monitoring data are sent to the correspondent safety HMI in dedicated control-room consoles. In a central safety function the safety feedback loop is performed by different LICS. Once the event has been individuated by one of the LICS, it is immediately communicated to the CICS, which then commands one or more LICS to perform the corrective action according to safety procedures. Monitoring data containing all the relevant results are sent to the correspondent safety HMI in dedicated control-room consoles. The Occupational Safety Subsystem (OSS) provides I&C Safety functions for the protection of people against all conventional hazards (toxicological, physical, electrical, cryogenic or other), produced inside the plant in normal and abnormal circumstances. The safety functions can be implemented either locally or centrally by means of different protection systems (local passive systems, local hardwired systems, local programmable systems, central programmable systems). The system is based on the personnel and zone classification with respect to the level of hazard. Exposure to ionizing radiation imposes that this subsystem will be in tight connection with the Personal Access Safety Subsystem (PASS) and the Radiation Monitoring System for the Environment and Safety (RAMSES). The PASS has the objective of implementing all the actions ensuring the safety of the people in specific areas generating safety risks. The access safety functions related to occupational risks are implemented in the OSS using the same requirements. Access safety functions are for example stopping hazardous equipment or devices in case of intrusion, or banning access on detection of a risk. Typical access statuses will be defined for the access to the main experimental room (e.g. free, controlled, warning, pre-pulse, pulse-on). The RAMSES objective is to keep the radiation doses of workers as low as practically possible, not exceeding the dose limits set. As a consequence it contributes to the protection of the personnel in radiation-controlled areas by permanently dose rates monitoring and comparison with alarm levels. In case of excessive dose levels, RAMSES is responsible of the activation of evacuation alarms and interlocks.
3. Local instrumentation and control subsystems (LICS) The LICS are designed to be in charge of the control of every subsystem and component in order to guarantee that all process variables are maintained inside the required range. The raw signal data acquired by the LICS are processed and converted into process variables compatible with the selected framework and then made available through the whole plant. Typically, the I&C Systems include at each hierarchical level a HMI and operational monitoring functions (if required). The graphical engine of the distributed control system toolkit (e.g. EPICS [16]), runs in the same servers where process variables are stored. At the local layer, vendor or technology specific SCADA can be used for particular operations during commissioning, calibration, maintenance, etc. Control systems at different hierarchical levels are interfaced by Ethernet Local Area Networks (LANs) communicating through the common control software in order to allow communications between different hardware platforms. Local control systems could use a particular network or fieldbus depending on specific commercially available controllers. However, these local systems with non-standard communication protocols should have an interface system to allow communications between different control systems. The Local CODAC Controllers (LCC) are connected to the field sensors and actuators in order to acquire data and perform local control logics. Local Controllers work in normal operation, including the execution of non-safety interlocks. Each Local Controller is in charge of executing operations only on a single, well-defined LICS sub-system. The Local Interlock Controllers (LIC) are connected to dedicated field sensors and actuators in order to acquire data and perform local safety-related interlock logics. Each LIC is in charge of protecting only a single, well-defined LICS sub-system. Generally, an Interlock Controller should be a SIL3/SIL2 controller dedicated to interlocks and units that have been hardwired for higher performance. The Local Safety Controllers (LSC) are related to the following specific tasks: plant safety, occupational safety, personal access safety, radiation monitoring. This class can include a heterogeneous set of devices: controllers, hardwired units, smart sensors, etc. All local components are housed in local I&C cubicles. Each local I& C cubicle embed all I&C components (fast and slow controllers, switches, signal I/O interfaces).
2.6. Hardware and software implementation
4. Conclusions
The complete control architecture is implemented as a real-time distributed control system based on open source software tools, libraries and applications. Robust control hardware is used: programmable logic controllers (PLC), programmable automation controllers (PAC), and industrial PCs (IPC) high performances devices, e.g. Field Programmable Gate Arrays (FPGA). The communication is based on multi-control/supervisory networks (Ethernet and fibre optic 10 Gigabit Ethernet) for controlling and monitoring the full plant operation and status (a possible example is given in Fig. 5 using COTS components).
The first step of the IFMIF-DONES Design has been achieved within the EUROfusion Work Package ENS as a first step to move towards the completion of the design of a European DEMO-oriented neutron source whose construction is planned in early 2020s. A presentation of the general architecture of the DONES CICS has been presented here taking into account the current plant design and the state of the art of similar I &C projects (namely, ITER). The new architecture seems to be simpler and more effective in managing signals and interface and reduce the 2685
Fusion Engineering and Design 146 (2019) 2682–2686
M. Cappelli, et al.
Fig. 5. (a) A possible example using COTS components (e.g. National Instruments®, Siemens®, Netgear®) of a machine protection architecture with programmable logic controllers in redundant configuration: (b) FPGA-based architecture for local protection functions. It should be noted that possible references to specific commercial components are here indicated only for illustrative purpose.
need of duplication of control logics in different layers. A detailed definition has been given in terms of philosophy, strategy and functionality of the CICS. The different role of CICS and LICS has been also underlined. Main features of the CICS CODAC System have been presented, which can be considered as a consolidated basis for the development of more detailed design. To the MPS and SCS a specific study will be dedicated, due to the need of a homogenization with the safety requirements of the final implementation.
[3] The IFMIF/EVEDA Integrated Project Team, IFMIF Intermediate Engineering Design Report, available on request at (2013) [email protected]. [4] A. Ibarra, et al., A stepped approach from IFMIF/EVEDA toward IFMIF, Fusion Sci. Technol. 66 (2014) 252–259. [5] A. Ibarra, et al., DONES Conceptual Design Report, (2018) available on request to the corresponding author. [6] F. Romanelli, et al., Fusion Electricity, A Roadmap to the Realization of Fusion Energy, EFDA, 2012. [7] T. Donné, et al., European Research Roadmap to the Realisation of Fusion Energy, ISBN 978-3-00-061152-0 EUROfusion Consortium, 2018. [8] A. Ibarra, et al., The IFMIF-DONES project: preliminary engineering design, Nucl. Fusion 58 (2018) 105002. [9] D. Bernardi, et al., Towards the EU fusion-oriented neutron source: the preliminary engineering design of IFMIF-DONES, Fus. Eng. Design (2019) Available online 7 January. [10] M. Cappelli, et al., ENS-3.6.1.1-T13-N1, (2017) available on request to the corresponding author. [11] M. Cappelli, ENS-3.6.1.1-T15-11-N1, (2017) available on request to the corresponding author. [12] ITER Instrumentation and Control System – PRIMER (ITER_ID: 32J454 v1.1), (2010). [13] W. Davis, et al., Current status of ITER I&C system as integration begins, Fus. Eng. Design 112 (2016) 788–795. [14] M. Park, et al., Overview of KSTAR integrated control system, Nucl. Eng. Tech. 40 (October (6)) (2008). [15] J.G. Krom, The evolution of control and data acquisition at JET, Fusion Engin. and Design 43 (1999) 265–273. [16] http://www.aps.anl.gov/epics/.
Acknowledgements This work has been carried out within the framework of the EUROfusion Consortium and has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement number 633053. The views and opinions expressed herein do not necessarily reflect those of the European Commission. References [1] D. Stork, et al., Towards a programme of testing and qualification for structural and plasma-facing materials in fusion neutron environments, Nucl. Fusion 57 (2017). [2] G. Federici, et al., DEMO design activity in Europe: progress and updates, Fus. Eng. Design 136 (2018) 729–741.
2686