PDF generated on 31 Jan 2014DISCLAIMER : UNCONTROLLED WHEN PRINTED – PLEASE CHECK THE STATUS OF THE DOCUMENT IN IDM

Memorandum / Note Guidelines for PSS-OS design

This document provides the guidelines to be followed by the plant system I&C designers for the development of the part the Plant System I&C which implements the occupational safety protection functions and interfacing with the Central SafetySystems for Occupational Safety (CSS-OS).

Approval Process Name Action AffiliationAuthor Pernin J.- M. 05 Dec 2013:signed IO/DG/DIP/CHD/CSDCo-Authors Fernandez Robles C.

Petitpas P. 06 Dec 2013:signed06 Dec 2013:signed

IO/DG/DIP/CHD/CSD/PCIIO/DG/DIP/CHD/CSD/PCI

Reviewers Wallander A. Yonekawa I.

17 Dec 2013:recommended06 Dec 2013:recommended

IO/DG/DIP/CHD/CSDIO/DG/DIP/CHD/CSD/PCI

Approver Thomas P. 31 Jan 2014:approved IO/DG/DIP/CHDDocument Security: level 1 (IO unclassified)

RO: Fourneron Jean-MarcRead Access AD: ITER, AD: External Collaborators, AD: IO_Director-General, AD: Division - Control System Division -

EXT, AD: Section - CODAC - EXT, AD: Section - CODAC, AD: Auditors, AD: ITER Management Assessor, project administrator, RO, LG: PBS48 EXT, AD: Section - Plant Control and Instrumentation

IDM UID

C99J7GVERSION CREATED ON / VERSION / STATUS

05 Dec 2013 / 1.2 / Approved

EXTERNAL REFERENCE

PDF generated on 31 Jan 2014DISCLAIMER : UNCONTROLLED WHEN PRINTED – PLEASE CHECK THE STATUS OF THE DOCUMENT IN IDM

Change LogTitle (Uid) Versio

nLatest Status Issue Date Description of Change

Guidelines for PSS-OS design (C99J7G_v1_2)

v1.2 Approved 05 Dec 2013

Comments integration

Guidelines for PSS-OS design (C99J7G_v1_1)

v1.1 Revision Required

25 Oct 2013

Removal of two PSS-OS architectures

Guidelines for PSS-OS design (C99J7G_v1_0)

v1.0 Approved 21 Dec 2012

Creation of the document

Guidelines for PSS-OS design (C99J7G_v0_0)

v0.0 In Work 07 Nov 2012

Page 1 of 58

Table of Contents

1 INTRODUCTION...............................................................................................................41.1 SCOPE ................................................................................................................................51.2 ACRONYMS ........................................................................................................................51.3 REFERENCES ......................................................................................................................7

1.3.1 Applicable documents ...............................................................................................71.3.2 Applicable standards ................................................................................................71.3.3 Reference documents.................................................................................................71.3.4 Hardware Reference documents ...............................................................................71.3.5 Software Reference documents .................................................................................7

1.4 PCDH CONTEXT ................................................................................................................8

2 PRINCIPLES ......................................................................................................................92.1 RELATION BETWEEN GUIDELINES FOR PSS-OS DESIGN DOCUMENT AND IEC FUNCTIONAL SAFETY STANDARDS ..................................................................................................................92.2 TERMINOLOGY ...................................................................................................................9

2.2.1 SCS-OS......................................................................................................................92.2.2 PSS-OS....................................................................................................................102.2.3 CSS-OS....................................................................................................................112.2.4 PSN-OS ...................................................................................................................112.2.5 CSN-OS ...................................................................................................................122.2.6 Safety Function .......................................................................................................122.2.7 Occupational Safety I&C Function.........................................................................122.2.8 Occupational Safety Event ......................................................................................132.2.9 Occupational Safety Action.....................................................................................132.2.10 Non-critical supervision system..............................................................................132.2.11 Critical supervision system .....................................................................................13

2.3 OS FUNCTION SCOPE ........................................................................................................132.3.1 Local OS function – Automatic activation ..............................................................142.3.2 Central OS function – Automatic activation ...........................................................152.3.3 Central OS function – Manual activation ...............................................................15

3 SCS-OS INTRODUCTION..............................................................................................173.1 OS HMIS .........................................................................................................................17

3.1.1 CSS-OS Operational Components ..........................................................................183.1.1.1 Safety Critical Hardwired HMI.......................................................................183.1.1.2 OS SCADA.....................................................................................................18

3.1.2 CSS-OS Maintenance Components.........................................................................193.1.2.1 CSS-OS Maintenance Terminals ....................................................................193.1.2.2 CSS-OS Engineering workstation...................................................................19

Page 2 of 58

4 PSS-OS ARCHITECTURES ...........................................................................................204.1 PSS-OS SIL2 CAPABLE ARCHITECTURE...........................................................................214.2 PSS-OS SIL3 CAPABLE ARCHITECTURE...........................................................................25

5 OS FUNCTION RESPONSE TIME ...............................................................................286 SENSORS AND ACTUATORS.......................................................................................30

6.1 ASSOCIATED IEC STANDARDS CONCEPTS ........................................................................306.1.1 Fail-safe concept.....................................................................................................30

6.1.1.1 Definition ........................................................................................................306.1.1.2 Principles.........................................................................................................306.1.1.3 Energized to trip & de-energized to trip concepts ..........................................306.1.1.4 Signal monitoring............................................................................................316.1.1.5 Conclusion ......................................................................................................32

6.1.2 Proven in use concept .............................................................................................326.1.3 Diversity concept.....................................................................................................33

7 NETWORKS .....................................................................................................................347.1 CONNECTION BETWEEN PSS-OS AND CSS-OS................................................................347.2 CONNECTION BETWEEN PSS-OS AND THE I/O MODULES .................................................35

8 HARDWARE ....................................................................................................................388.1 PSS-OS PLC ...................................................................................................................388.2 PSS-OS CUBICLES ...........................................................................................................39

8.2.1 Environmental conditions .......................................................................................398.2.2 Cubicle Monitoring .................................................................................................40

8.3 PSS-OS SWITCH ..............................................................................................................408.3.1 Conceptual principles .............................................................................................408.3.2 Switch Specifications ..............................................................................................41

8.4 PSS-OS SIGNAL CABLING ................................................................................................418.5 PSS-OS POWERING ..........................................................................................................41

8.5.1 Conceptual principles .............................................................................................418.5.2 CPU racks ...............................................................................................................428.5.3 Peripheral racks......................................................................................................448.5.4 Network products ....................................................................................................458.5.5 Cubicle Power distribution .....................................................................................45

9 SOFTWARE TOOLS.......................................................................................................4610 SOFTWARE INTERFACES AND FUNCTIONAL REQUIREMENTS ...................47

10.1 OS FUNCTIONAL MONITORING INTERFACE......................................................................4710.1.1 OS Common Concepts ............................................................................................47

10.1.1.1 OS Function State and Status..........................................................................4710.1.1.2 OS Function Reset ..........................................................................................4910.1.1.3 Time synchronization......................................................................................4910.1.1.4 Alarm Management.........................................................................................49

Page 3 of 58

10.1.1.5 Naming convention .........................................................................................4910.2 OS INTERFACE BETWEEN PSS-OS PLC AND CSS-OS PLC.............................................4910.3 OS HARDWARE MONITORING INTERFACE .......................................................................5010.4 PSS-OS SOFTWARE STRUCTURE ......................................................................................50

11 TESTING AND ACCEPTANCE TESTS.......................................................................5111.1 ENTRY CRITERIA ..............................................................................................................5111.2 ACCEPTANCE PROCESS.....................................................................................................5111.3 ACCEPTANCE CRITERIA ....................................................................................................5111.4 FAT .................................................................................................................................5111.5 SAT .................................................................................................................................52

12 STANDARDS COMPLIANCE AND SIL ASSESSMENT...........................................5313 PERIODIC TESTS PRINCIPLE ....................................................................................55APPENDIX 1 – DETAILED LOGIC HARDWARE LISTS ................................................56

Page 4 of 58

1 Introduction

Occupational safety (OS) is a cross-disciplinary area concerned with protecting the safety, health and welfare of people engaged in work or employment. The goal of all occupational safety and health programs is to foster a safe work environment.In the ITER project, safety concerns are divided into:

• Nuclear safety risks related to internal and external exposure to ionizing radiation and releases of radioactive material,

• Occupational safety risks, covering all non-nuclear risks.

Occupational safety risks include, among others: • Work in confined spaces,• Proximity to heavy duty equipment,• Elevated loads,• Pressure build-up in circuits,• High temperature,• Cryogenic risks,• Electrical risks,• Magnetic risks,• Oxygen depletion.

As mentioned in [RD6] - Occupational Health and Safety risks I&C monitoring [ITER_D_AHPD5D], some systems, pieces of equipment and installations shall require monitoring in order to share prompt information and initiate corrective actions upon risk detection. Some basic principles of monitoring and I&C actions which could be performed using the Safety Control System for Occupational Safety (SCS-OS), are described in [RD6].

Two types of protection can be found for OS risks: Internal protections implemented within system design. These are inherent protections embedded in the

component, assembly or system itself and which do not involve I&C Systems (e.g. passive safety relief valves, cages, locking system....),

I&C protections, which are instrumented functions which protect and warn personnel against possible immediate risks due to machine or systems failure, malfunctioning or normal hazardous operation (e.g. oxygen monitoring, leak detection……).

The Safety Control System for Occupational Safety (SCS-OS) provides an I&C safety system for the entire ITER plant for the protection of people and the environment, covering occupational safety issues related to non-nuclear risks. This SCS-OS contains a central part, the Central Safety System (CSS-OS) linked to local parts, the Plant Safety Systems (PSS-OS), by a Central Safety Network (CSN-OS). A plant safety system for OS is an I&C safety system of a plant system which implements occupational safety functions.

The following elements are not included in the safety I&C system for occupational safety:• Fire detection and protection systems, as these are independent systems delivered by PBS.62 and 63

(Buildings),• Radiation protection system, as it is an independent system delivered by PBS.64 (Radiological and

Environmental Monitoring),• Access control system, which provides access to controlled zones where it is necessary to control on site

movement and to ensure that only properly authorized people have access, as it is an independent system delivered by PBS.69 (Access Control and Security Systems),

Page 5 of 58

• Hardwired OS functions using Emergency stop button (installed in front doors of electrical boards or near the electrical motors for example),

• I&C functions that have no specific Safety Integrity Level (SIL according to IEC 61508 / IEC 61511) requirements, as these systems can be implemented with conventional I&C,

• Nuclear Safety Control System,• Interlock Control System, which is devoted to investment protection.

1.1 Scope This document provides the guidelines to be followed by the plant system I&C designers for the design of the PSS-OS which implements the occupational safety protection functions and interfaces to the Central Safety Systems for Occupational Safety (CSS-OS).

1.2 AcronymsAcronym Item

BCR Backup Control Room (building 24)BSR Backup Server Room (building 24)CDR Conceptual Design reviewCFC Continuous Function ChartsCIS Central Interlock SystemCNP Central I&C Network PanelCSN Central Safety NetworkCSS Central Safety SystemCODAC Control, Data Access and CommunicationCPU Central Processing UnitEEE Electronic, Electrical and ElectromechanicalE/E/PE Electrical / Electronic / Programmable ElectronicEPB Emergency Push ButtonFAT Factory Acceptance TestsFDR Final Design ReviewHFT Hardware Fault ToleranceHIRA Hazard Identification and Risk AssessmentHMI Human-Machine InterfaceHO Hand OverI&C Instrumentation & ControlIEC International Electrotechnical CommissionIO ITER OrganizationI/O Input / OutputIOC Input Output ControllerLAS Local Access SafetyMCR Main Control Room (building 71)MRR Manufacturing Readiness ReviewMSR Main Server Room (building 71)OHS Occupational Health and SafetyOS Occupational Safety

Page 6 of 58

For a complete list of ITER abbreviations refer to [RD10] - ITER Abbreviations [ITER_D_2MU6W5].

PBS Plant Breakdown SystemPCDH Plant Control Design HandbookPDR Preliminary Design ReviewPFD Probability of Failure on DemandPFH Probability of Failure per HourPLC Programmable Logic ControllerPR Project Requirements (ITER)PS Plant SystemPSCC Plant System Conventional ControlPSN Plant Safety NetworkPSS Plant Safety SystemPST Process Safety TimeQC Quality ControlRFE Ready For EquipmentRO Responsible OfficerSAT Site Acceptance TestsSCADA Supervisory Control And Data AcquisitionSCS Safety Control SystemSIL Safety Integrity LevelSIS Safety Instrumented SystemSPSS Standard PLC Software StructureSQS Safety, Quality and Security DepartmentSRD System Requirements Document

Page 7 of 58

1.3 References

1.3.1 Applicable documents[AD1]. Project Requirements (PR) [ITER_D_27ZRW8 ][AD2]. SRD-48 (Central Safety System) from DOORS [ITER_D_2EBF97][AD3]. CSS-OS SRD Complements about functional requirements [ITER_D_9GJ9G9]

1.3.2 Applicable standards[AS1]. IEC 61508: Functional safety of electrical/electronic/programmable electronic safety-related

systems.[AS2]. IEC 61511: Functional safety- safety instrumented systems for the process industry sector.

1.3.3 Reference documents[RD1]. Plant Control Design Handbook (PCDH) [ITER_D_27LH2V][RD2]. ITER Policy on EEE in Tokamak complex [ITER_D_6ZX6S3][RD3]. Guidance for EEE in Tokamak complex [ITER_D_7NPFMA][RD4]. Occupational Health and Safety Management Plan [ITER_D_6LCG7B][RD5]. Procedure for Occupational Health and Safety Hazard Identification and Assessment

[ITER_D_AJLQRF][RD6]. Occupational Health and Safety risks I&C monitoring [ITER_D_AHPD5D][RD7]. Integration Scheme and procedure for Plant System I&C [ITER_D_3VVU9W][RD8]. Usage of IEC 61511 [ITER_D_DMF2CW][RD9]. Guidelines for PSS-OS Reliability Assessment [ITER_D_HXQ35R][RD10]. ITER Abbreviations [ITER_D_2MU6W5]

1.3.4 Hardware Reference documents[RD11]. ITER Catalogue for I&C products – Cubicles [ITER_D_35LXVZ][RD12]. ITER Catalogue for I&C products – Slow Controllers [ITER_D_333J63][RD13]. I&C Cubicle Monitoring System – Functional Specifications [ITER_D_7A45LE][RD14]. I&C Cubicle Internal Configuration [ITER_D_4H5DW6][RD15]. EDH Part 1 : Introduction [ITER_D_2F7HD2][RD16]. IO cable catalogue [ITER_D_355QX2][RD17]. EDH Part 4: Earthing [ITER_D_2ELREB][RD18]. IO Cabling Rules [ITER_D_335VF9][RD19]. EDH Guide A: Electrical Installations for SSEN Client Systems [ITER_D_2EB9VT]

1.3.5 Software Reference documents[RD20]. PLC Software Engineering Handbook [ITER_D_3QPL4H][RD21]. Philosophy of ITER Alarm System Management [ITER_D_3WCD7T][RD22]. SIEMENS S7 Safety Engineering System Manual [SIEMENS_A5E00109529-06]

Page 8 of 58

1.4 PCDH contextThe [RD1] - Plant Control Design Handbook (PCDH), defines methodology, standards, specifications and interfaces applicable to the whole life cycle of ITER plant systems Instrumentation & Control (I&C) Systems. I&C standards are essential for ITER to:

• Integrate all plant systems into one integrated control system,• Maintain all plant systems after delivery acceptance,• Contain cost by economy of scale.

PCDH comprises a core document which presents the plant system I&C life cycle and recaps the main rules to be applied to the plant system I&Cs for conventional controls, interlocks and safety controls. Some I&C topics are explained in greater detail in dedicated documents associated with PCDH [RD1]. This document is one of them.

Core PCDH (27LH2V)Plant system control philosophyPlant system control Life CyclePlant system control specificationsCODAC interface specificationsInterlock I&C specificationSafety I&C specification

PCDH core and satellite documents: v7PS CONTROL DESIGN

Plant system I&C architecture (32GEBH)

Methodology for PS I&C specifications (353AZY)

CODAC Core System Overview (34SDZ5) INTERLOCK CONTROLS

Guidelines PIS design (3PZ2D2)

Guidelines for PIS integration & config.Management of local interlock functionsPIS Operation and Maintenance

I&C CONVENTIONSI&C Signal and variable naming (2UT8SH)

ITER CODAC Glossary (34QECT)

ITER CODAC Acronym list (2LT73V)

PS SELF DESCRIPTION DATASelf description schema documentation (34QXCP)

CATALOGUES for PS CONTROLSlow controllers products (333J63)

Fast controller products (345X28)

Cubicle products (35LXVZ)

Integration kit for PS I&C

PS CONTROL INTEGRATIONThe CODAC -PS Interface (34V362)

PS I&C integration plan (3VVU9W)

ITER alarm system management (3WCD7T)

ITER operator user interface (3XLESZ)

Guidelines for PON archivingPS Operating State management (AC2P4J)

Guidelines for Diagnostic data structure (354SJ3)PS CONTROL DEVELOPMENT

I&C signal interface (3299VT)

PLC software engineering handbook (3QPL4H)

Guidelines for fast controllers (333K4C)

CODAC software development environment (2NRS2K)

Guidelines for I&C cubicle configurations (4H5DW6)

CWS case study specifications (35W299)

NUCLEAR PCDH (2YNEFU)

OCCUPATIONAL SAFETY CONTROLSGuidelines for PSS-OS design

Available and approvedExpected

Legend

This document

(XXXXXX) IDM ref.

Figure 1.1: PCDH documents structure

Page 9 of 58

2 Principles

This chapter describes the common environment for all occupational safety actors: the specific terminology used, the various occupational safety function types necessary to cover all the OS needs.

2.1 Relation between guidelines for PSS-OS design document and IEC Functional Safety standards

These guidelines highlight important requirements and define specific ITER design features concerning integration and interfaces with the central system for occupational safety and overall operation.In parallel, PBS48 OS proposes a complementary guidelines document which introduced IEC requirements to be scrupulously followed by each Plant System in order to obtain final SIL certification.Refer to [RD9] - Guidelines for PSS-OS Reliability Assessment [ITER_D_HXQ35R] for more details.

2.2 TerminologyThis section introduces the basic concepts of OS to be taken into account by the plant systems.

2.2.1 SCS-OSThe Safety Control System for Occupational Safety (SCS-OS) provides an I&C safety system for the entire ITER plant for the protection of people and the environment regarding occupational safety issues related to non-nuclear risks.This SCS-OS contains a central part, the Central Safety System (CSS-OS) linked to local parts, the Plant Safety Systems (PSS-OS), by a Central Safety Network (CSN-OS). A plant safety system for OS is an I&C safety system of a plant system containing occupational safety functions.

Page 10 of 58

CSS-OS Scope

PSS-OS Scope

SCS-OS Scope

Control-room

Server-room

CSN-OS

CSS-OS Safety PLC

Safety Critical Hardwired

HMI

CSS-OS Terminal

CSS-OS Maintenance

Terminal

PSS-OS Safety PLC

Plant systems

CSS-OSServers

CSS-OS EngineeringWorkstation

Figure 2.2: SCS-OS Overview and scope of the document

Caution: redundancies of Control Rooms and Server Rooms are not represented in figure 2.2.

2.2.2 PSS-OSThe Plant Safety Systems for Occupational Safety (PSS-OS) are part of the plant systems I&C. Every plant system that requires an I&C function with a SIL equal or above SIL1 (refer to IEC 61511 standard [AS2] and OHS HIRA procedure [RD5]) must have a PSS-OS to reduce the OS risks it generates. Caution: the passive protections ensured by the system design (safety relief valves, cages, locking system…..) are unrelated to the I&C system and are therefore out of the scope of this document.

The PSS-OS performs the OS I&C functions, by means of sensors, PLCs and actuators. Each PSS-OS provides local protection by implementing the local occupational safety functions of the corresponding plant system. A PSS-OS may also participate in the central safety functions coordinated by the CSS-OS.It is the responsibility of the plant system responsible officer to supply, implement and operate:

- Sensors and actuators involved in OS I&C functions,- PSS-OS PLC, including a standard interface with CSS-OS through CSN-OS.

The PSS-OS is independent (in terms of hardware components & associated software) of the system that manages the nuclear safety I&C functions of the plant system.

Page 11 of 58

The PSS-OS is also independent (in terms of hardware components & associated software) of all the others I&C systems of the plant system (conventional and interlock systems).

2.2.3 CSS-OSThe Central Safety System for Occupational Safety is the central part of the SCS-OS, which integrates functions to coordinate the locally distributed plant I&C systems. It retrieves/manages data from the distributed systems to activate protections in order to remove or reduce hazardous conditions which have been detected. It does this either automatically, or by a manual operator command from the operator’s safety desks located in the control rooms.At the central level, the Central Safety System for Occupational Safety (CSS-OS, managed by PBS.48) is responsible for providing:

- CSS-OS PLCs which host safety applications for coordinating the plant systems,- Human machine interfaces for the supervisory features of all the OS I&C functions that have to be

reported in control rooms: monitoring, control, diagnostic, maintenance and archiving,- A dedicated redundant network (CSN-OS, refer to section 2.2.5) to enable communication between all

the OS systems,- Engineering workstation,- Hardwired panels to manage central functions with manual activation and to display information that

requires a high reliability.

The CSS-OS is implanted in the server-rooms and control-rooms of buildings 71 and 24. The CSS-OS is beyond the scope of this document.The CSS-OS is independent from the system that manages nuclear safety functions.

Notes: - PBS.48 (CSS) also implements central systems for nuclear safety. The design of this system is detailed in

a dedicated document.- The Central Safety Systems together with CODAC and the Central Interlock System (CIS) form the

ITER I&C Central Systems.

2.2.4 PSN-OSThe Plant Safety Network for Occupational Safety (PSN-OS) is the OS field network. It provides communication between the components involved in the OS functions inside one plant system. The PSN-OS connects the PSS-OS PLC in a plant system to the sensors and actuators in the same plant system when distributed I/O stations are used.The PSN-OS can also connect PSS-OS PLCs together when there is more than one in a plant system.The PSN-OS in one plant system will not be shared with other plant systems.

Page 12 of 58

Server room

Plant System

CSN-OS

PSN-OS

Remote I/O station

CSS-OS Safety PLC

T

T: transmitter

PSS-OS Safety PLC

To other remote I/O Station

Figure 2.3: PSN-OS Network

2.2.5 CSN-OSThe Central Safety Network for Occupational Safety is the OS network.It provides communication between the plant safety systems and the Central Safety System for inter-plant system OS protection and monitoring functions via a redundant industrial Ethernet network.The CSN-OS is composed of two redundant networks and is independent of the network that manages the nuclear safety functions.

The supply of the CSN-OS is beyond the scope of the plant systems.The plant system providers are responsible for the PSS-OS connection to these redundant networks.

2.2.6 Safety FunctionSafety function definition from IEC 61511 Part 1: ‘’Function to be implemented by an SIS, other technology safety-related system or external risk reduction facilities, which is intended to achieve or maintain a safe state for the process, with respect to a specific hazardous event’’

‘’Safety Instrumented System (SIS): Instrumented system used to implement one or more safety instrumented functions. An SIS is composed of any combination of sensor(s), logic solver(s), and final element(s)’’

2.2.7 Occupational Safety I&C FunctionThis is a safety I&C function that addresses a specific occupational safety hazard.

Page 13 of 58

2.2.8 Occupational Safety EventThis is the plant system state or combination of states involving one or several different plant systems that could potentially result in injuries and illnesses to people, and that triggers an action of the corresponding PSS-OS and/or the CSS-OS.The plant system state is usually determined through sensors.

2.2.9 Occupational Safety ActionThese are measures or sequences of measures carried out by the PSS-OS and/or the CSS-OS to mitigate the risks following an occupational safety event. These protection actions are managed by the PSS-OS when the measures are restricted to the plant system which detected the event and by the CSS-OS when various plant systems are involved.

2.2.10 Non-critical supervision systemThe non-critical supervision system, which is mainly composed of computerized HMIs, monitors occupational safety functions. These computerized HMIs are located in the control and the server rooms depending on the associated user activities.This system does not contribute to the SIL classified safety I&C functions.

2.2.11 Critical supervision systemThe critical supervision system is a component of the CSS-OS which has the ability to contribute to the SIL classified occupational safety I&C functions, unlike the non-critical supervision system. Physically, this system will be implemented as two redundant hardwired panels, one in the Main Control Room for the safety operators, and the other in the Back-Up Control Room.These components monitor and also control some specific critical OS functions.

2.3 OS function scopeGiven the organizational division of ITER and in order to meet the safety requirements, the functional requirements address two different needs:

- Each plant system must have the means to detect and reduce its own OS risks locally,- If different plant systems are involved in the same OS function, a central system must coordinate the

locally distributed safety systems.

Two categories of occupational safety functions are defined:- “Requiring human intervention” type: high occupational risks that require a human response. The alarms

and information related to these functions are displayed on a very reliable hardwired HMI (in the CSS-OS scope) because they trigger an action by the operator and consequently the safety action.

- “Automatic” type: in this case, the risk is controlled by the SCS-OS without any human intervention. These functions are monitored from a computerized HMI, with detailed diagnostic performance.

Apart from a minimal number of specific cases, the occupational risk functions are automatic functions.

From these requirements and to cover all future OS functions, CSS has defined OS function types. These types should cover the complete needs of PSS-OS. The following sections describe these OS function types.

Page 14 of 58

2.3.1 Local OS function – Automatic activationAs a consequence of the identification process of safety functions described in [RD4] (Occupational Health and Safety Management Plan [ITER_D_6LCG7B]) and of the type of occupational risks, the majority of occupational safety I&C functions are expected to be completely implemented at a plant system level. Hence, most OS functions will be local functions. The plant system has the means of detecting its OS risk (it has its own sensors) and of reducing it (its own actuators) thereby performing an automatic safety protection or mitigation action to control the risk.Therefore, throughout its cycle the plant system is fully responsible for the safety level of its own occupational safety I&C functions as defined in the applicable standards [AS1] and [AS2].The central I&C system for occupational safety does not play an active role in the safety function. It is in charge of non-critical actions such as the reset of functions and it is informed about changes of state of the plant system.These OS I&C functions are called “local” safety functions.

Monitoring

Reset

Plant System

Event or action transmission

ActionEvent

ActuatorSensor

Critical Supervision System

Non critical Supervision System

Coordination System

Risk detecting System

Risk eliminating System

Central System

Not used for this caseNot used for this case

Safety critical component (contributes to the SIL classified safety I&C functions)

Non critical Supervision component (does not contribute to the SIL classified safety I&C functions)

Figure 2.4: Local function mechanisms

Note: the risk detecting system logic and the risk eliminating system logic can be in the same PLC.

The majority of the occupational safety I&C functions are expected to be fully implemented in one plant system. Given this local function concept, PBS48 OS planned to develop an OS standard in order to define and fix the monitoring interface between the PSS-OS and the CSS-OS.

Page 15 of 58

2.3.2 Central OS function – Automatic activationSome OS I&C functions may concern two or more plant systems. In this case, the occupational safety events are detected by the plant system(s) and transmitted to the central OS I&C system which takes a safety decision and dispatches the required safety actions to the other plant system(s) involved.Together the plant systems providing part of the function and the central system must achieve the required safety level defined by the relevant standards [AS1] and [AS2].The central system is also responsible of the central supervisory features (Critical and non-critical supervision system).These OS I&C functions are called “central” safety functions.

MonitoringMonitoring

Central System

Plant System Y

Monitoring Reset

Plant System X

Event transmission

ActionEvent

ActuatorSensor

Critical Supervision System

Non-critical Supervision System

Coordination System

Risk detecting System

Risk eliminating System

Action transmission

Not used for this case

Safety critical component (contributes to the SIL classified safety I&C functions)

Non critical Supervision component (does not contribute to the SIL classified safety I&C functions)

Figure 2.5: Central function mechanisms

2.3.3 Central OS function – Manual activationSome safety functions require an operator to take a safety decision to trigger a safety action. In this case, the occupational safety events are detected by the plant system(s) and transmitted to the central OS I&C system which alerts the safety operator through a very reliable HMI. This HMI allows commands to be executed on the central system which in turn dispatches the required safety actions to the plant system(s).The central system contributes to the safety integrity level of these functions. Together the plant systems providing part of the function and the central system must be accredited at the required safety integrity level defined by the relevant standards [AS1] and [AS2].

Page 16 of 58

The central system is responsible for the critical monitoring and critical control of the functions which require a safety level and for non-critical supervisory features that do not require a safety integrity level.

Monitoring

Monitoring

Critical Monitoring

Critical Control

Plant System Y

Monitoring

Reset

Plant System X

Event transmission

ActionEvent

ActuatorSensor

Critical Supervision System

Non critical Supervision System

Coordination System

Risk detecting System

Risk eliminating System

Action transmission

Central System

Safety critical component (contributes to the SIL classified safety I&C functions)

Non critical Supervision component (does not contribute to the SIL classified safety I&C functions)

Figure 2.6: Central function mechanisms - requiring operator intervention

Note: the risk eliminating system can be included in the same plant system as the risk detecting system.

Page 17 of 58

3 SCS-OS Introduction

To meet all OS requirements, the CSS-OS System is composed of a safety logic system (to coordinate OS central functions) and a SCADA system (to supervise all local and central OS functions).The following sections focus on the different OS human machine interfaces designed to be used by the various OS actors.Note: The elements are described here mainly for information purposes, as the PSS-OS designer will finally build the interface with those components, even if in some cases it is an indirect interface.

The different software tools associated with each component are developed in chapter 9.

3.1 OS HMIsThere are four dedicated human machine interfaces for the occupational safety System:

- Operating terminals,- Safety critical hardwired HMI,- Maintenance terminals,- Engineering workstation.

Supervision component

Safety critical component

CSS-OSTerminal

Safety Critical Hardwired HMI

Server-room

CSS-OS EngineeringWorkstation

CSS-OSMaintenance

Terminal

Control-room

CSN-OS

Plant systems

PSSx-OS

CSS-OSSafety PLC

CSS-OS SCADA Server

Figure 3.1: OS HMIs and associated components

Caution: redundancies of Control Rooms and Server Rooms are not represented in figure 3.1.

Page 18 of 58

The figure above focuses on the different human machine interfaces (the other CSS-OS components are not represented).

The routine access to the various PSS-OS is done from the control and server rooms using the SCS-OS infrastructure. The PSS-OS will mainly connect to two interfacing components: the CSS-OS Safety PLC associated with the safety critical hardwired HMI (coordination purpose for OS I&C Central functions) and the CSS-OS SCADA server (supervision purpose for the whole OS I&C functions (local and central)).

3.1.1 CSS-OS Operational ComponentsThere are two types of operational component:

The Safety Critical Hardwired HMI, The OS SCADA.

3.1.1.1 Safety Critical Hardwired HMIWhen the monitoring (or control) impacts on the triggering of safety actions and also requires a safety level (SIL), a very reliable (hardwired) supervisory device will be designed.It may be required for “not fully automatic” high occupational risks that require a human response (i.e. command) to trigger the safety function, or to display critical occupational safety function alarms or states.The redundant safety critical hardwired HMIs are located in the control rooms and are connected to the CSS-OS Safety PLC through specific redundant remote I/O stations.

Note: This component is expected to manage few occupational safety parameters.

3.1.1.2 OS SCADAThe Operating part of OS SCADA is represented by the CSS-OS terminals located in the control rooms. They support the monitoring (and control) and have no impact on the actuation of an OS function. Support is via:

OS functional views (Global and detailed) (in CSS-OS scope), Alarm list views (in CSS-OS scope), Archived data list views (in CSS-OS scope).

The SCS-OS is mainly an automatic system with more supervision than control for Safety operator. About the control part, the main action of the operator in Control Room is the reset command. The OS reset commands are sent by authorised operators from the CSS-OS operating terminals using the OS functional detailed views. These commands are needed for OS operation but cannot modify the critical machine protection configuration of the PSS-OS. They are transmitted to the PSS-OS logic via the redundant CSN-OS.

From the operator interface requirements of IEC 61511-1:“The SIS status information that is critical to maintaining the SIL shall be available as part of the operator interface. This information may include:

where the process is in its sequence; indication that SIS protective action has occurred; indication that a protective function is bypassed; indication that automatic action(s) such as degradation of voting and/or fault handling has occurred; status of sensors and final elements; the loss of energy where that energy loss impacts safety; the results of diagnostics; failure of environmental conditioning equipment which is necessary to support the SIS”

Page 19 of 58

Warning: critical adjective is oriented and so interpreted differently between PBS48 OS and IEC standards. Concerning PBS48 OS, critical adjective is used to make the difference between central I&C system components according to their SIL oriented contribution (supervision systems for example). On the other hand, IEC standards are using critical term instead of very important or essential (the SIS status information that is essential to maintaining the SIL).

3.1.2 CSS-OS Maintenance ComponentsThere are two types of maintenance component:

The CSS-OS maintenance terminals, The CSS-OS engineering workstation.

3.1.2.1 CSS-OS Maintenance TerminalsThrough the specific CSS-OS terminals located in the server rooms, SCS-OS displays the detailed state of the occupational safety system to the maintenance team via:

PLC hardware diagnostic supervision views (in PSS-OS and CSS-OS scope), Cubicle hardware diagnostic supervision views (in PSS-OS and CSS-OS scope), Network component hardware diagnostic supervision views (in CSS-OS scope), Inter-systems communication diagnostic supervision views (in CSS-OS scope).

The CSS-OS maintenance terminals also permit maintenance override operations, without disturbing the Control Room Operator during maintenance phases, through specific and detailed OS functional views. Also the Control room is informed about maintenance override operations through two parallel ways on the CSS-OS Operating terminal:

through alarm management in dedicated SCADA area and associated alarms (maintenance override set, maintenance override reset, time delay out),

through synthesis of OS function state (via specific color code for example).

3.1.2.2 CSS-OS Engineering workstationAn engineering workstation is necessary for changing PLC application configuration and online monitoring. This station contains the off-line version of the application running inside all PLC of CSS-OS and PSS-OS.The SIEMENS engineering workstation is directly connected to CSN-OS to manage PSS-OS PLC software (and also CSS-OS PLC software) through a SIEMENS proprietary protocol.

Page 20 of 58

4 PSS-OS Architectures

Each plant system will have its own PSS-OS architecture designed taking into account the following: Functional requirements, IEC 61511 standard requirements, ITER catalogues.

1. The functional requirements associated to the CSS-OS are: Interface with the OS SCADA (supervision purpose for all OS I&C functions), Interface with the CSS-OS Safety PLC (coordination purpose for central OS I&C functions).

2. The IEC 61511 standard requirements are listed in [RD9] (Guidelines for PSS-OS Reliability Assessment [ITER_D_HXQ35R]).

3. For standardization purpose, all actors of the ITER I&C System (PSS-OS and CSS-OS for Occupational Safety) will use [RD12] - ITER Catalogue for Slow Controllers [ITER_D_333J63] about hardware & software selection. This ITER Catalogue is composed of selected components and associated software for the SIEMENS products.

For integrating safety engineering into SIMATIC S7 automation systems complementary to the conventional SIEMENS product, two specific fail-safe systems are available:

The S7 Distributed safety System, The S7 F/FH System.

Each system has specific hardware components and software tools associated with it.

The following table resumes the main hardware components selected by PBS48 OS.

S7 Fail-safe System SIMATIC S7 Distributed Safety System

SIMATIC S7 F/FH System

CPU controller series S7-300F S7-400H

Remote I/O station S7 ET200M

I/O modules S7 300 Safety modules

Table 4.1: PBS48 OS selected components

To respond to majority of PSS-OS needs and to facilitate hardware & software interfaces between the whole OS actors, PBS48 OS had defined two PSS-OS architectures based on S7 Fail-Safe System:

The first system (SIMATIC S7 Distributed safety System) will be used by the designer of the plant System to build SIL2 capable architectures,

The second system (SIMATIC S7 F/FH System fault-tolerant oriented) will be used by the designer of the plant System to build SIL3 capable architectures.

Refer to [RD9] - Guidelines for PSS-OS Reliability Assessment [ITER_D_HXQ35R] for more details about PBS48 OS orientation for each architecture.

The following table gives results (failure and SIL level) according to verification procedure (IEC 61511 standard requirement) realized by PBS48 OS for each PSS-OS configuration, in order to support Plant System selection.

Page 21 of 58

Note: These results were obtained from assumptions for reliability data of sensors and actuators which are out of scope of PSS-OS. Plant System designer will take into account defined sensors and actuators and associated IEC characteristics for the final calculation.

Refer to [RD9] - Guidelines for PSS-OS Reliability Assessment [ITER_D_HXQ35R] for complete details.

Demand mode Failure result SIL result

Low 7.45E-05Architecture 1: S7-300F PLC based architecture High 1.50E-08 h-1

SIL2

Low 4.53E-04Architecture 2: S7-400 F/H PLC based architecture High 8.93E-08 h-1

SIL3

Table 4.2: PSS-OS Architecture results

Before describing the different PSS-OS architectures, it is necessary to list the main design requirements:

1. One plant system shall have only one PSS-OS which is solely responsible within the plant system for related Occupational safety functions (local functions and part of central safety functions). The PSS-OS controls and monitors associated occupational safety sensors and actuators via the plant safety networks and it constitutes the interface to the CSS-OS via the central safety networks.

2. One PSS-OS may have multiple controllers (due to application size and complexity, or distribution throughout the site).

3. Whenever is possible, only one redundant connection to the CSS-OS via the CSN-OS per Plant System should be implemented.

4. Each field network must be totally independent (no link between two occupational safety field networks or other field networks (from CODAC System or Interlock System)).

4.1 PSS-OS SIL2 capable architectureThis architecture is designed to satisfy safety class requirement (Safety Integrity Level) up to SIL2 in accordance with IEC 61511 standard (Hardware Fault Tolerance = 0 for logic solver subsystem for example).Refer to [RD9] - Guidelines for PSS-OS Reliability Assessment [ITER_D_HXQ35R] for more details associated to each subsystem.The architecture use components selected from the S7 Distributed Safety System catalogue available on [RD12] - ITER Catalogue for slow controllers [ITER_D_333J63].

General requirements for this architecture are: A single CPU, Safety I/O modules, A redundant connection with the redundant occupational safety central networks.

Detailed application for this architecture: A single SIMATIC S7-300F-2PN/DP Central Processing Unit (CPU), TÜV approved to SIL3 in

accordance with IEC 61508 standard,

Page 22 of 58

SIMATIC S7-300 Safety I/O modules, An optional SIMATIC S7 ET200 remote I/O station in case of decentralized need with ProfiBus /

ProfiSafe field network.

The characteristics of the selected hardware components are described in chapter 8. The characteristics of the associated software tools are described in chapter 9.

CPU

Safety I/O modules

Figure 4.1: SIMATIC S7-300 rack mainly equipped with S7-300F CPU and S7 Safety I/O modules

CSN – OS1 I&C Architecture

PSS-OS

CSN – OS2

SENSORSACTUATORS

CSS-OSSCADA Server

SIMATIC S7CPU 300F2 PN/DP

Figure 4.2: integrated I/O configuration example for an OS local function

Page 23 of 58

Note: In an OS I&C local function case, the PSS-OS configuration has only one interface with the CSS-OS (OS SCADA for supervision purpose through the CSS-OS SCADA Server).

CSN – OS1

SIMATIC S7CPU 300F -2 PN/DP

I&C Architecture

PSS-OS

CSN – OS2

SENSORS

CSS-OSSafety PLC

CSS-OSSCADA Server

Figure 4.3: integrated I/O configuration example for an OS central function

Note: In an OS I&C central function case, the PSS-OS configuration has two interfaces with the CSS-OS (OS SCADA for supervision purpose and CSS-OS Safety PLC for coordination purpose).

Page 24 of 58

Safety I/O modules

Figure 4.4: SIMATIC ET200M remote I/O station equipped with Safety I/O modules

SIMATIC S7CPU 315F-2 PN/DP

CSN – OS2

PSN – OSPROFIBUS

PSS-OS

CSN – OS1

SIMATIC S7ET 200M

To otherRemote I/O

SIMATIC S7CPU 300F -2 PN/DP

Figure 4.5: remote I/O configuration principle

Note: For specific need (internal Plant System hardware standardization for example), a SIMATIC S7-400 5H CPU can be used instead of SIMATIC S7-300 F.

Figure 4.6: SIMATIC S7-400 station mainly equipped with S7-400 5H CPU

Page 25 of 58

SIMATIC S7CPU 400 5H-2 PN/DP

CSN – OS2

PSN – OSPROFIBUS

PSS-OS

CSN – OS1

SIMATIC S7ET 200M

To otherRemote I/O

Figure 4.7: specific standard availability configuration principle

4.2 PSS-OS SIL3 capable architectureA philosophy of redundancy is applied to all components (CPU, field network, remote I/O station and associated safety I/O modules).The architecture uses components selected from the S7 F/FH System catalogue (CPU and associated CPU station) and from the S7 Distributed System (remote station and safety I/O modules) available from [RD12] - ITER Catalogue for slow controllers [ITER_D_333J63].General requirements for this architecture are:

Two redundant CPUs, A minimum of one CPU station (rack), Three redundant remote I/O stations, Two redundant field networks, Associated safety I/O modules, A redundant connection with the redundant occupational safety central networks.

Detailed application for this architecture: Two redundant SIMATIC S7-400-5H CPU, TÜV approved to SIL3 in accordance with IEC 61508, A minimum of one SIMATIC S7-400 station (rack), Two redundant ProfiBus / ProfiSafe field networks, Three redundant SIMATIC ET200M remote I/O stations equipped with associated S7-300 Safety I/O

modules (2oo3 evaluation case for sensors and 1oo3 evaluation case for actuators).

Page 26 of 58

Each redundant CPU is connected to only one redundant CSN-OS network (CSN-OS 1 or CSN-OS 2).

Both CPUs are connected redundantly to all safety I/O modules via the redundant field networks (each remote I/O station is linked to the two redundant field networks).

The characteristics of the selected hardware components are described in chapter 8. The characteristics of the associated software tools are described in chapter 9.

Note:

CPU redundancy principle is active redundancy. Programs in both CPUs are identical and executed synchronously by the CPUs.

SIMATIC S7CPU 400-5H

CSN – OS2

PSN – OS1PROFIBUS

PSS-OS

CSN – OS1

REDUNDANTSIMATIC S7

ET 200M

SIMATIC S7ET 200M

REDUNDANTSIMATIC S7CPU 400-5H

PSN – OS2PROFIBUS

REDUNDANTSIMATIC S7

ET 200M

Figure 4.8: redundant I/O configuration principle

Page 27 of 58

There are two possibilities for the redundant CPUs layout. The first option has each CPU located in separate stations and also in a specific cubicle. The second option has the two redundant CPUs located in only one cubicle and in the same station. The point about the second option is the common cause failure provoked by an event affecting both CPUs, such as fire in the cubicles.

Page 28 of 58

OS function response time

One impact that the choice of architecture has is on the OS function response time. The safety system must be capable of detecting the hazardous event and responding in time to mitigate its consequences, which means for example, for local functions involving only one controller, performing the following actions:

1. Sense the out-of-control condition,2. Digital filtering of input signal,3. Input process scan time,4. PLC program scan time,5. Any trip delay timers set to remove process noise must time out,6. Output process scan time,7. Digital filtering of output signal,8. Fully actuate the output device.

If several PLCs are involved in the OS function (central functions or local functions involving several PLCs), the communication time and PLC program scan time of each PLC must be added.How much time the safety system has to respond depends on the dynamics of the process and the conditions initiating its actions. IEC standards introduce the Process Safety Time parameter to manage this important point.

The process safety time (PST) is defined as the time period between a failure occurring in the process or the basic process control system (with the potential to cause a hazardous event) and the occurrence of the hazardous event if the safety instrumented function is not performed.

Note: The process safety time is a main output data of risk analysis.Refer to [RD9] - Guidelines for PSS-OS Reliability Assessment [ITER_D_HXQ35R] for more details about Safety Lifecycle and associated phases.

Fault

Occ

urs

Fault

Det

ecte

d

Actio

n Ta

ken

Fault Not Managed

Fault Managed

Sensor detection

timeTime to React Actuator

time Cushion

Process Safety Time

Proc

ess R

eacts

Haza

rdou

s eve

nt

Activation Point

Process Limit

Figure 2.9: Time to respond to abnormal situations

Page 29 of 58

The time to react is data defined for each OS function. It determines the techniques to use for the implementation of the function. The time to react is the time elapsed between the risk detection and the mitigation request (when action is requested).

In the case of a central function, this time constraint has to be shared between the different parts of the function (the different PSS-OS and the CSS-OS).Refer to [RD9] - Guidelines for PSS-OS Reliability Assessment [ITER_D_HXQ35R] for more details about PST allocation to each OS actors.

Page 30 of 58

6 Sensors and actuators

Each Plant System must follow various requirements in order to select each sensor and actuator. The first section of this chapter presents the IEC 61508 / IEC 61511 concepts to considered in parallel to IEC requirements.The second part of this chapter concerns the sharing of sensors and actuators, if required, between the different I&C Central Systems (CODAC, Interlock or Safety).

6.1 Associated IEC standards conceptsSuitably qualified sensors and actuators are necessary to achieve the safety integrity level of the OS functions.Complementary to quantitative & architectural requirements, several concepts introduced by IEC standards should be taken into account for sensor design and for final control element architecture:

Fail-safe concept, Proven in use concept, Diversity concept.

The following sections describe each of them.

6.1.1 Fail-safe concept

6.1.1.1 DefinitionIn the event of a failure, a fail-safe device or system will automatically permit to switch to a pre-determined safe state. In other words, failure is not dangerous.Examples:

In the case of a fail-safe sensor failure, the system will automatically switch to a safe state thanks to health monitoring of the signal used.

In the case of failure of a de-energized to trip actuator, the system will automatically switch to a safe state in case of loss of power supply or loss of signal thanks to the safe position of the actuator.

6.1.1.2 PrinciplesApart from some specific cases, the design of Plant System shall follow principles associated to fail-safe concept. The main principles are de-energized to trip concept and signal monitoring concept.

1. The safe position and the de-energized position of an actuator shall be the same. The safe position of an actuator is reached when the power to that actuator is switched off. So, in the event of power failure, all PLC outputs (actuators commands) will go to the de-energized condition therefore putting the actuators in the safe position. When the power is restored all outputs must remain de-energized until appropriate resets.

2. In order to compensate specific inputs/outputs that are energized-to-trip (not fail-safe), health monitoring on the line (supervised digital input and supervised digital output) shall be used.

6.1.1.3 Energized to trip & de-energized to trip conceptsA safety system is typically designed as normally energized (de-energize-to-trip) so that it is fail-safe.If there is loss of power or loss of connectivity between system components then the I&C System will respond by a tripping action. This result in higher safety integrity, but it can also result in more spurious trips of the process.

Page 31 of 58

Figure 5.1: De-energized to trip principle

In some cases, a spurious trip can have dangerous results. For example, initiating a water deluge system inside a building can cause damage to equipment and can be hazardous to personnel. Chemical fire suppression can be dangerous to personnel, and false alarms degrade the willingness to respond by plant personnel. Energized to trip systems can help address this type of situation.

In an Energized to trip design, the safety loop has to be energized in order to initiate a trip of the safety system. This means that failures such as loss of power or loss of connectivity between components have to be managed by adequate diagnostics to detect the failures. In an energized to trip design, line monitoring is essential to detect open-loops and short circuit failures in wiring between logic solver I/O and field devices.

Figure 5.2: Energized to trip principle

6.1.1.4 Signal monitoringFrom field devices of IEC 61511 Part 1:”Energizing to trip discrete input/output circuits shall apply a method to ensure circuit and power supply integrity”.

6.1.1.4.1 DefinitionThe signal monitoring consists of continuously checking the validity of the signal.First of all, it is important to differentiate between a contact normally opened and an opened contact due to a fault such as an open loop. In the same way, it is important to make the difference between a closed contact and a short circuit.The signal monitoring also allows a maintenance action to be launched when a signal is not valid. In this way the signal can be repaired and the I&C system will be fully operational again.

Page 32 of 58

6.1.1.4.2 Application

Caution:Safety Activated action is applicable in most cases but not systematically

Figure 5.3: Signal monitoring principle

Example with an analogue sensor:The first objective for this analogue sensor, checking a process variable, is to switch from safe condition to unsafe condition according to the x mA threshold monitoring.The second objective for this sensor is to switch from signal valid to signal invalid through the monitoring of the signal validity values (3.9995 mA and 20.007 mA). In this condition, the signal monitoring checks for the invalid areas (case 1 and case 4):

Case 1: if the loop is opened, the system will receive 0mA.Case 2 and 3: if the transmitter is online and OK, the system will receive a value between 4 and 20mA.Case 4: if the transmitter is in short circuit, the system will receive over 20mA.

Surveillance of invalid areas facilitates automatic switching to a safe state.

6.1.1.5 ConclusionFail-safe principles must be taken into account during sensor and actuator design for Plant System.The energized to trip concept should only be used if the de-energized to trip concept is not applicable, or if spurious actuation can cause damage to equipment and can be hazardous to personnel.For energized-to-trip sensors, line health monitoring must be used.

6.1.2 Proven in use conceptIf a sensor or actuator which has not already been certified is identified, then the Plant System designer may turn to “proven in use” components.From IEC 61511 Part 2 Section 11.5.3.1:“There are very few field devices (sensors and valves) that are designed per IEC 61508-2 and IEC 61508-3. Users and designers will therefore have to depend more heavily on using field devices that have been “proven-in-use.”

Page 33 of 58

From IEC 61511 Part 1 Section 11.5.3.1:“Appropriate evidence shall be available that the components and subsystems are suitable for use in the safety instrumented system”.

Refer to [AS2] - IEC 61511 standard parts 1 & 2 section 11.5.3 for more details about Proven in use requirements.

6.1.3 Diversity conceptTo limit common mode of failure, whenever possible, the choice of redundant instruments should be diversified (use of different technologies or different manufacturers).

From IEC 61508 Part 7 Annex B1.4:“Different types of components are used for the diverse channels of a safety-related system. This reduces the probability of common cause failures (for example overvoltage, electromagnetic interference), and increases the probability of detecting such failures.”

Page 34 of 58

7 Networks

7.1 Connection between PSS-OS and CSS-OSThe PSS-OS is linked to CSS-OS through the CSN-OS Network.The PSS-OS will be connected to both the Main and Backup CSN-OS Networks through the closest CNP Central I&C Network Panel hosting CSN-OS. The link between PSS-OS Network Cubicle and CNP Network Panel should use fibre-optic cables as follows: two optical strands for CSN-OS Main Network and two optical strands for CSN-OS Backup Network.

The CNP Network Panel is a passive wall-mounted patch panel which is the physical termination point for the CSN-OS Network. The CNP Network Panels are installed at strategic locations close to the plant system I&C cubicles.

A typical network panel layout is shown on the Figure below.

Figure 6.1: Central I&C Network Panel

The PSS-OS owner (RO) is in charge of connecting the PSS-OS Network to the CSN-OS Network, as described in the Interface Sheets between PBS.48 and the PBS of the PSS.

The CSN-OS Network is based on two protocols which ensure communication: To connect PSS-OS Safety PLCs to the CSS-OS Safety PLC – SIMATIC S7 connection on Industrial

Ethernet support (for central coordination purposes), To connect PSS-OS Safety PLCs to the CSS-OS SCADA – Open IE on Industrial Ethernet support (for

central supervision purposes), To connect Cubicle Monitoring PLCs to the CSS-OS SCADA – Open IE on Industrial Ethernet support.

Page 35 of 58

PSS-OS Cubicle

Signal Interfaces

CNP CNP

Fiber Optic patch panel

PSS-OS Cubicle

Signal Interfaces

Safety Controller

Safety Controller

Plan

t Sys

tem S

cope

Fiber Optic patch panel

Main Switch

Backup Switch

Main Switch

Backup Switch

PSS-OS Cubicle

Signal Interfaces

Safety Controller

Main Switch

Backup Switch

CNP

Fiber Optic patch panel

Safety critical components

Safety non critical components

Figure 6.2: PSS-OS scope

Note 1: Refer to chapter 8 about OS network components requirements.

Note 2: Due to high magnetic fields and radiation levels, no safety I&C Logic control cubicles will be installed inside the Tokamak Building (B11).

Refer to [RD2] - ITER_Policy_on_EEE_in_Tokamak_complex_ITER_D_6ZX6S3 and [RD3] - Guidance_for_EEE_in_Tokamak_Complex_ITER_D_7NPFMA documents for more details.

7.2 Connection between PSS-OS and the I/O modulesThe connection between the PSS-OS and its remote periphery is part of the PSN-OS.The SIMATIC fail-safe signal modules will be operated in the SIMATIC ET200M distributed I/O system. Safety communication between the safety program in the F-CPU and the fail-safe I/O modules takes place via the standard ProfiBus DP with ProfiSafe safety profile.

Page 36 of 58

PBS.X Cubicle

CPU CPa

CPb

PSS-OSRack 0

IM0a DIa DOa AI

DP

DP

MAIN SWITCH BACK-UP SWITCH

RJ45RJ45

Sensor a

Actuator a

Actuator b

PSS-OS PeripheryRack 1

DIb

Sensor b

DOb AI

Bus 0 Profibus

Bus 1 Industrial Ethernet

Bus 0 Industrial Ethernet

Figure 6.3: Connection between PSS-OS and an I/O

In the case of SIL3 capable architecture, the ProfiBus network must be redundant: each redundant CPU is connected to all the peripheral racks using two interface modules per rack as shown on the figure below:

Page 37 of 58

PS0a PS0b CPU0

CP0

Sync10mSync10m

PS1a PS1b CPU1

CP1

Sync10mSync10m

FO (2m)

FO (2m)

PSS-OSRack 0

PSS-OSRack 1

IM0a IM1a DIa DI DOa DO DO DO AI

IM0b DI DOb DO DO DO AIIM1b

DP DP

DP DP

DP DP

MAIN SWITCH BACK-UP SWITCH

RJ45 RJ45

PBS.X Cubicle

Sensor a

DIb

Sensor b

Actuator a

Actuator b

IM0c DI DOc DO AIIM1c

DP DP

DIc

Sensor cActuator c

PSS-OS PeripheryRack 2

PSS-OS PeripheryRack 3

PSS-OS PeripheryRack 4

Bus 0 Profibus

Bus 1 Profibus

Bus 1 Industrial Ethernet

Bus 0 Industrial Ethernet

Figure 6.4: Connection between PSS-OS and Multiples I/O

In the case of a long distance for the ProfiBus I/O bus, it is possible to use optical link modules.

Page 38 of 58

8 Hardware

This chapter presents: A description of the hardware involved in the architectures described in chapter 4 – PSS-OS

Architectures and chapter 7 - Networks. The technical requirements applicable to these hardware components and associated cubicle.

The logic components used in the PSS-OS architectures must come from the [RD12] - ITER Catalogue for I&C Products – Slow Controllers [ITER_D_333J63].

8.1 PSS-OS PLCThis subsection resumes characteristics of main components of PSS-OS PLC architecture.Refer to chapter 9 for more details about the associated software tools.

S7-300F-2PN/DP CPU Derived from the S7 Distributed Safety System, Failsafe automation system, Complies with safety requirements to SIL3 in accordance with IEC 61508 standard, Based on S7-300, ET200M distributed I/O stations with safety-related modules can be connected, Communication to OS SCADA front-ends via Industrial Ethernet 100 Mbits/s, Safety-related communication to remote I/O station via ProfiBus DP with ProfiSafe profile.

S7-400-5H CPU Derived from the S7 F/FH System, Failsafe automation system, Complies with safety requirements to SIL3 in accordance with IEC 61508 standard, Fault tolerant through redundant design, ET200M distributed I/O stations with safety-related modules can be connected. Communication to OS SCADA front-ends via Industrial Ethernet 100 Mbits/s, Safety-relevant communication to remote I/O station via ProfiBus DP with ProfiSafe profile.

S7 ET200M remote I/O Complies with safety requirements to SIL3 in accordance with IEC 61508 standard, Safety-relevant communication to CPU via Redundant ProfiBus DP with ProfiSafe profile, Safety modules compatibility, Standard modules compatibility for non-safety-related applications.

S7 Safety ModulesCompared to the standard modules of the S7-300 module family, the fail-safe signal modules differ in terms of their internal dual-channel structure. The two integrated processors monitor each other, automatically test the I/O

Page 39 of 58

circuits and force the fail-safe signal module into safe state when a fault/error has been detected. The F-CPU communicates with the fail-safe signal module by means of the safety-oriented ProfiSafe bus profile.

Complies with safety requirements to SIL3 in accordance with IEC 61508 standard, Support applications for S7-300 system (centrally in S7-300 station and/or distributed in ET200M

station) and for S7-400 system (distributed in ET200M station), Digital Input module, Analogue Input module, Digital Output module.

Refer to [RD12] - the ITER Catalogue for I&C products – Slow Controllers [ITER_D_333J63] for more details about these components and about complementary components like the power and communication modules.

Refer to appendix 1 for complete and detailed lists of hardware component for each architecture proposed in chapter 4.

8.2 PSS-OS cubiclesThe PSS-OS components will be installed in PSS-OS cubicles.

For the design, engineering and installation of the PSS-OS cubicles, the following rules must be applied:

- The PSS-OS cubicles (floor standing or wall mounted type according to the need) must be compliant with [RD11] - ITER catalogue for I&C products – Cubicles [ITER_D_35LXVZ],

- The space reservation and allocation of the components inside of the PSS-OS cubicle must be compliant with [RD14] - I&C Cubicle Internal Configuration [ITER_D_4H5DW6],

- The handling and installation of the PSS-OS cubicles must be compliant with [RD14] - I&C Cubicle Internal Configuration [ITER_D_4H5DW6],

- The requirements for earthing and electromagnetic compatibility and the cable entries (on top or on bottom) described in [RD15] - EDH Part 1: Introduction [ITER_D_2F7HD2] and in [RD17] - EDH Part 4: Earthing [ITER_D_2ELREB], EMC and Lightning Protection are applicable to the PSS-OS cubicles,

- The specific requirements for Siemens hardware installation (e.g. cable section for backplane connexion, etc.) should be taken into account and respected,

The components belonging to the PSS-OS are hosted in dedicated PSS-OS cubicles which must not be shared with conventional control, plant interlock or nuclear safety systems.All electrical components (power supplies, circuit breakers…) have to be fully accessible and easily removable in order to be replaced even if the cubicle is still powered (use of DIN rail is preferred).

For maintenance purposes, cubicles should be installed as far as possible from the sources of disturbances of Building 11 and in areas which are accessible during plasma operation.

8.2.1 Environmental conditionsITER plant systems will contain a large quantity of electronic, electrical, and electromechanical (EEE) components. Many of them will be, by necessity, located in the radiation and magnetic fields in the TOKAMAK Complex and can be negatively affected by these environmental conditions.

This is the reason why ITER plant electronic, electrical and electro-mechanical systems, and among them the PSS-OS, must comply with the requirements for operating within the TOKAMAK Complex.

Page 40 of 58

Refer to [RD2] - ITER Policy on EEE in the Tokamak Complex [ITER_D_6ZX6S3] and [RD3] - Guidance for EEE in Tokamak Complex [ITER_D_7NPFMA] for more details.

8.2.2 Cubicle MonitoringAll standard I&C cubicle for ITER shall include a monitoring system. This system will be provided by the PSS-OS.The PSS-OS cubicle configuration must comply with the design specifications for hardware integration of the monitoring system in I&C cubicle specified in [RD14] (I&C Cubicle Internal Configuration [ITER_D_4H5DW6]).

Occupational Safety particular design point:Each PSS-OS cubicle monitoring system should be connected to the CSS-OS via the CSN-OS.

8.3 PSS-OS SwitchThe connection between the PSS-OS and the CSN-OS is made through the PSS-OS switch to the closest Central I&C Network Panel (CNP).Reminder: The PSS-OS owner (RO) is in charge of connecting the PSS-OS to the CSN-OS Networks, as described in the Interface sheets between PBS.48 and the PBS of the PSS-OS.

8.3.1 Conceptual principlesThe CSN-OS networks are a single-mode fibre-optic interface and capable of transmitting all PSS-OS information, such as safety communication and monitoring data under the Ethernet communication protocol.It will also be in charge of converting data from the fibre-optic interface to the copper hardware interface.Inside each cubicle, two switches are dedicated (one switch per CSN-OS) to manage several functionalities, like safety communication management, diagnostics…

Figure 7.1: Switch redundancy principle

Page 41 of 58

8.3.2 Switch SpecificationsThe characteristics required are:

- Managed switch,- One Single-mode fibre-optic interface port,- A minimum of 3 RJ45 interface ports,- 24Vcc power supply redundancy management,- Security management (filtering by IP and MAC),- SNMP management,- Ethernet profile.

The network equipment must be chosen from the ITER Catalogue of I&C products for Networks products.

8.4 PSS-OS signal cabling When signal redundancy is required, the redundant cables should be kept as separate as possible but they can be routed through the same cable tray.

It is recommended that sensor / actuators signals are connected to the SIMATIC I/O modules through terminal blocks. It is advisable to install an external protective circuit in order to provide sufficient surge strength to an ET200M with fail-safe signal modules. It is recommended that the Marshaling Terminal Assembly referenced in the Catalogue for I&C products – Slow controllers is used. It is possible to use ABB/ENTRELEC or PHOENIX CONTACT equipment as recommended in the Guidelines for I&C cubicles configuration if these equipment are certified IEC 61508 and enable the reliability requirements to be fulfilled.

The cables should be selected from the [RD16] - IO Cable Catalogue [ITER_D_355QX2].The PSS-OS signal cabling must be compliant with:

[RD1] - Plant Control Design Handbook [ITER_D_27LH2V], [RD14] - I&C Cubicle Internal Configuration [ITER_D_4H5DW6], [RD18] - IO Cabling rules [ITER_D_335VF9].

8.5 PSS-OS powering

8.5.1 Conceptual principlesThe powering of PSS-OS cubicles must be compliant with the Electrical Design Handbook, in particular [RD19] (EDH Guide A: Electrical Installations for SSEN Client Systems [ITER_D_2EB9VT]).

The following rules apply:- All PSS-OS cubicles and components must be redundantly powered,- The redundant powering cables must be kept as separate as possible although sharing of the same cable

tray is permitted,- The mounting rail must be bonded to ground,- Circuit breakers must at least permit the independent power on/off of each train, each architecture and its

periphery independently.- The power supplies should be monitored so that a failure of one power supply can be reported and

repaired so that the system will not stay too long without redundancy.

The PSS-OS cubicles are powered by two independent sources: Class II-IP power supply: an uninterruptible with backup by battery set of 1 hour autonomy and by a

diesel generator available for 24 hours,

Page 42 of 58

Class IV-OL power supply: an alternative power supply in the event of class II-IP inverter failure or fault in the class II-IP power feeder.

The 24Vdc will be generated locally by redundant power supply modules using the Class II-IP or Class IV-OL sources. It is recommended that the power supplies for the digital I/O and the analogue inputs are separated in order to avoid disturbance for the last ones.

If PSS-OS equipment needs additional voltages, they should be obtained by transforming the existing voltages using appropriate components, which will be compliant with the SIL requirements of the function. This additional powering must be redundant.

8.5.2 CPU racksTwo families of SIMATIC CPU are used for the PSS-OS architectures and therefore there are two types of SIMATIC rack: the S7-300 rack and the S7-400 rack. Only the second one can be equipped with redundant power supplies. First option for the S7-300 rack is to use two external non-redundant power supplies and one add-on module. Using diodes, the add-on module disconnects two parallel basic power devices. Failure of a single power supply no longer compromises the safe and uninterrupted supply of 24 volt power.

CPU300F

~

=

~

=

+ +

+ -

DB P

S II-

P 23

0Vac

DB P

S IV

OL 2

30Va

c

Redundant Power supply 24Vcc

Single Power supply 24Vcc from Class IV OL

Single Power supply 24Vcc from Class II IP

Power supply Class II-IP

Power supply Class IV OL

Figure 7.2: Power supply redundancy option 1

Second option for the S7-300 rack is to use two or more switching power supplies (equipped with internal power diode for parallel operation). One advantage of this type of power system is that each power supply provides a part of the total system power. The thermal stress on each supply is also reducing.The following figure shows the second option with two switching power supplies.

Page 43 of 58

CPU300F

~

=

~

=

Redundant Power supply 24Vcc

Single Power supply 24Vcc from Class IV OL

Single Power supply 24Vcc from Class II IP

Power supply Class II-IP

Power supply Class IV OL

DB P

S II-

P 23

0Vac

DB P

S IV

OL 2

30Va

c

Figure 7.3: Power supply redundancy option 2

Each S7-400 rack must be powered by two redundant power supply modules. The first power supply module should be powered by a class II-IP power supply and the second one by a class IV-OL power supply. Each power supply module must have two backup batteries in its battery compartment as shown on the schema below:

Figure 7.4: CPU 400H Power supply redundancy principle

In the case of a redundant architecture of CPUs (SIL3 capable architecture), the same principle as above will apply: each CPU rack must be powered by two redundant power supply modules powered by two independent sources: Class IV OL and class II IP. Each power supply module must also have two sets of backup batteries in its battery compartment. The principle is shown on the figure below:

Page 44 of 58

Figure 7.5: Redundant CPU 400H Power supply redundancy principle

The power supply equipment must be chosen from the [RD12] - ITER Catalogue for I&C products – Slow Controllers [ITER_D_333J63].

8.5.3 Peripheral racksLike for the S7-300 rack, there is no dedicated redundant power module available for the SIMATIC remote I/O selected for the PSS-OS need (S7 ET200M). This is why the solutions are identical to that for the S7-300 rack, non-redundant power supplies or switching power supplies (refer to section 8.5.2 for more details). The figure below describes the powering concept for a peripheral rack:

IM DI DO AI

DP

DI DO AI

Redundant PS – 24Vdc

PSa PSb Redundancy

Class II-IP - 230Vac

Class IV - 230Vac

Figure 7.6: Remote I/O Power supply redundancy principle

In the case of a redundant architecture with multiple peripheral racks the principle stays the same: each peripheral rack will be powered by two power supply modules: 230Vac powered by the independent Class IV OL and class II IP sources, and one redundant module.

The figure below describes the powering concept for multiple peripheral racks:

IM1a DI DO AI

DP

DI DO AI

Redundant PS – 24Vdc

IM1b DI DO AI

DP

DI DO AI

Redundant PS – 24Vdc

PSa PSb Redundancy 1

Class II-IP - 230Vac

Class IV - 230Vac

Redundancy 2

IM0a

DP

IM0b

DP

Figure 7.7: Remote I/Os Power supply redundancy principle

Page 45 of 58

Note: It is recommended that the power supplies for the digital I/O and the analogue inputs are separated.

8.5.4 Network productsEach network product (switches, electronic devices…) involved in PSN-OS or in CSN-OS should be powered by both of the independent sources, Class IV OL and Class II IP, as shown on the figure below:

Figure 7.8: Switches Power supply redundancy principle

8.5.5 Cubicle Power distributionRefer to the [RD14] - I&C Cubicle Internal Configuration [ITER_D_4H5DW6] for the PSS-OS application.

Page 46 of 58

9 Software tools

This chapter introduces the PLC software to be used by the PSS-OS with the OS environment.

The PLC software, in the form of the SIEMENS tools is necessary to configure, develop and manage the occupational safety programmable logic controller (PLC) environment.

The two fail-safe systems available in SIMATIC S7 automation systems (S7 Distributed Safety and S7 F/FH) should be evaluated according to the hardware architecture developed and the relevant availability level.

The list of SIEMENS tools to be considered is:

- SIMATIC STEP7 professional software,- SIMATIC STEP7 Optional package S7 Distributed Safety, which is used to engineer the hardware and

configure the occupational safety functions for SIL2 capable architectures. OS functions are configured in F-LAD or F-FBD languages,

- SIMATIC STEP7 Optional package S7 F Systems, which is used to engineer the hardware and configure the occupational safety functions for SIL3 capable architectures. It expands the S7-400H controller for OS functions by providing pre-configured blocks, certified by the German Technical Inspectorate (TÜV) according to SIL 3 IEC 61508 standard. OS functions are configured in Continuous Function Charts (CFC) with certified function blocks.

Page 47 of 58

10 Software Interfaces and Functional Requirements

Most occupational safety functions should be functions which only need the CSS-OS for supervisory features and no safety processes. In order to develop a homogeneous and efficient overall OS I&C system, it has been decided to standardize the central control and monitoring parameters of the OS I&C functions, and so the interface between the PSS-OS and the CSS-OS. This standardization will be highly beneficial from the Human Factors point of view and for the integration of the system.

The interface which manages the link between a PSS-OS safety PLC and the CSS-OS SCADA (technology to be defined) is detailed in section 10.1. This section defines the concepts applicable to all the OS I&C functions.The second interface which manages the link between the PSS-OS and CSS-OS safety PLCs (when relevant for a specific OS I&C function) is introduced in section 10.2. It is a SIMATIC Safety PLC interface.The last interface which manages the link about OS Hardware Monitoring between the PSS-OS and the CSS-OS SCADA is introduced in section 10.3.

10.1 OS Functional Monitoring InterfaceIO has standardized the common OS functional concepts (states and status functions, monitored information, reset, override…).

10.1.1 OS Common Concepts

10.1.1.1 OS Function State and StatusThe safety logic between the inputs and the outputs will be specific to each OS I&C function, but the state of the function will always be synthesized by an overall status as defined below:

Tripped state:The safety function is activated, associated safety actuators are maintained in the fail-safe position.Tripped condition: safety event or major failure that triggers the actuation of the safety function (fail safe design).

Normal state:The safety function is not activated, associated safety actuators are activated in the normal position, there are no conditions related to the “degraded state”.

Degraded state:The safety function is not activated, associated safety actuators are activated in the normal position, but a component of the safety function is unavailable (one sensor of a 2oo3 logic is tripped, degraded output configuration…).

Page 48 of 58

SEVERITY

Normal

Degraded

Tripped

A B

C

D E

FROM TO CONDITIONREFERENCEnormal degraded One of the component of the safety function becomes unavailable.A

degraded normal If all the components of the safety function become availableBdegraded tripped If an event or a major failure occursC

normal tripped If an event or a major failure occursDtripped normal If the operator resets AND the safety function is availableE

Figure 9.2: Function States principle

The function will also have two additional statuses associated that will be controlled by the operator from the CSS-OS:

Override status, Maintenance status.

The override status will be set as soon as at least one input or output of the function is overridden. The overrides are used to disable inputs or outputs from a safety related system for maintenance activities (prevention or repair), to avoid trips caused by spurious signals or logic tests.An override can equally be applied to the inputs or outputs of the function. This may also be described as an inhibit or a forcing command. Strictly speaking, an ‘inhibit’ prevents something happening whereas an ‘override’ applies a forced state, but these two words tend to be used interchangeably. In this document, override will be used.However, the status indications of inhibited inputs and outputs stay active to provide as much information as possible to the operator.

Inputs and outputs of the OS I&C function can only be overridden by maintenance operators from CSS-OS maintenance terminals.This action is performed through the function’s override controls.

Note: A specific robust protocol guarantees that no override command can be accidentally set (human error and/or system failure). This protocol implemented for the data exchanges between PLC and OS SCADA ensures the quality of the commands.

Page 49 of 58

Caution: Override controls for an input or an output should only be implemented when demonstrated as necessary for the operation during risk analysis phase.

The maintenance status will be used by the operator to highlight a function that is under maintenance or during commissioning. This status is like a virtual flag set up by the operator on the control room’s displays as a reminder of this specific condition.

This maintenance status however, has no influence on the behaviour of the safety functions, which are still computed.

10.1.1.2 OS Function ResetOnce triggered, the status of the safety function must be latched and the safety actuators must be activated to the safe position and remain there even if the safety event that triggered the function disappears.The reset command, usable from the CSS-OS SCADA, will allow all the latched safety actuators commands that were activated to the “Trip” state to be reset.The reset command will also reset all values latched during the triggering of the function (latched inputs value for example).

Important requirement: The safety logic of the function must be designed so that the function’s reset command can only be effective if the inputs are in such a state that there is no safety event.

10.1.1.3 Time synchronizationThe PSS-OS PLC has to be synchronized with a unique time reference to provide correct logging of the sequence of events for fault analysis.Time synchronization of SCS-OS is done from an external clock.As S7 Siemens PLC accepts NTP synchronization, an NTP server is used for synchronizing all occupational safety SCS.

The time reference for timestamps is the “ITER time” (=UTC time).

10.1.1.4 Alarm ManagementThe alarm design integrates the recommendations described in the [RD21] - Philosophy of ITER Alarm System Management document [ITER_D_3WCD7T].

10.1.1.5 Naming conventionRefer to [RD1] - Plant Control Design Handbook [ITER_D_27LH2V] to the complete naming rules.

10.2 OS Interface between PSS-OS PLC and CSS-OS PLCThe PSS-OS designer will develop the PLC Software with one of the following SIEMENS software packages according to the hardware configuration selected for the PSS-OS:

S7 Distributed Safety in case of S7-300F CPU used, S7 F/FH System in case of S7-400H CPU used.

Caution: For the OS central function cases, the PSS-OS PLC software will be interfaced to the CSS-OS PLC software (develop with S7 F/FH System).

Page 50 of 58

The PSS-OS designer should refer to the PLC supplier documentation in order to take into account all mechanisms concerning safety communication via Industrial Ethernet protocol through the S7 connections.

10.3 OS Hardware Monitoring InterfaceThe only kind of alarm about system health that should appear on the CSS-OS SCADA on the safety operator’s desk should be a synthesized alarm.All detailed system monitoring should appear in the dedicated CSS-OS maintenance terminals and should be as detailed as possible.

There are two kinds of health monitoring:- Cubicle monitoring (temperature, doors…),- System monitoring (PLC memory, communication rates…).

Note: These values are transmitted to the CSS-OS SCADA through standard templates which are still under study.

Refer to the documents listed here for more details:- [RD1] - Plant Control Design Handbook [ITER_D_27LH2V] paragraph 4.4.1,- [RD13] - I&C Cubicle Monitoring System – Functional Specifications [ITER_D_7A45LE].

10.4 PSS-OS software structureThe program structure is introduced as a typical scheme of a Standard PLC Software Structure (SPSS) to be deployed on the ITER Project for the conventional PLC and the redundant PLCs.Refer to [RD20] - PLC Software Engineering Handbook [ITER_D_3QPL4H] for more details about the SPSS.

Page 51 of 58

11 Testing and Acceptance tests

The testing and acceptance tests are important tasks and they are an integral part of the ITER model of integration. These tests are intended to check the conformity of the deliverables with the requirements specified by ITER.In the process defined by the ITER model of integration, two major acceptance tests are defined: FAT (Factory Acceptance Tests) carried out at the supplier’s premises during the manufacturing phase and the SAT (Site Acceptance Tests) covering the all plant systems installed on the site during the integration phase.

Figure 12.1: Integration principle

11.1 Entry criteriaThe entry criteria for the acceptance test given in [RD7] - Integration scheme and procedure for plant system I&C [ITER_D_3VVU9W] is applicable for the PSS-OS acceptance tests.This document gives a list of the pre-requisites which must be met in order to start the acceptance tests (FAT or SAT).

11.2 Acceptance processThe acceptance process described in [RD7] - Integration scheme and procedure for plant system I&C [ITER_D_3VVU9W] is applicable for the PSS-OS acceptance tests.In accordance with [RD1] - Plant Control Design Handbook [ITER_D_27LH2V], the results of the execution of the FAT and SAT plans are recorded in a FAT (PCDH D50) or SAT (PCDH D65) report. Their classification and treatment should comply with the requirements for test campaign part passed, severity level value and live cycle state.

11.3 Acceptance criteriaThe acceptance criteria with a list of requirement details, especially for the different validations taking into account parameters like execution rate, severity level, etc. described in [RD7] - Integration scheme and procedure for plant system I&C [ITER_D_3VVU9W] is applicable for the PSS-OS acceptance tests.

Page 52 of 58

11.4 FATThe Plant System I&C Factory Acceptance Test (FAT) is a test which checks the conformity of the plant system I&C with IO requirements and mainly with the PCDH requirements, in order to ensure that the plant system I&C unit is integrable before starting the SAT.The unit for PS I&C FAT is the PSS-OS cubicle with its embedded hardware and software.

Before starting the FAT the supplier must carry out a pre-FAT to detect and solve the manufacturing issues.

The scope of the FAT should be adjusted according to the procurement configuration and will cover the following areas:

Mechanical and electrical configuration of the PSS-OS cubicles PLC’s hardware and software Plant system configuration Plant system I&C functions Performance Documentation

During the FAT, the interfaces to the plant (instrumentation and actuators) are disconnected and simulated by test equipment. The environmental conditions are those of the supplier’s factory.

For checking compliance of the procurement with the remaining PCDH requirements and to optimize the duration of the FAT, the PCDH proposes to split I&C FAT into several campaigns.For further information about the FAT campaigns, their scope and scenarios consult the [RD1] - Plant Control Design Handbook [ITER_D_27LH2V] and [RD7] - Integration scheme and procedure for plant system I&C [ITER_D_3VVU9W].

11.5 SATThe Site Acceptance Test (SAT) is a test which checks the conformity of the whole set of plant system I&C delivered after their shipment to the ITER site. It checks conformity with IO requirements and mainly with the PCDH requirements, in order to ensure that the PSS-OS are ready to go ahead to the next step in life-cycle of the ITER model of integration: the integrated commissioning.

The SAT will also be performed on what was not covered for any reason by the FAT.

In accordance with [RD7] - Integration scheme and procedure for plant system I&C [ITER_D_3VVU9W], the SAT is organised into 3 sequential steps:

- Component tests: the unit to test is the PSS-OS Cubicle (physical interfaces test). These tests are performed by the I&C supplier under the responsibility of the Plant System I&C RO with support from ITER IO CSD.

- System tests: the unit to test is the PSS-OS System (functional tests). These tests are performed by the I&C supplier under the responsibility of the Plant System I&C RO with support from ITER IO CSD.

- Connection to central I&C infrastructure: the unit to test is the PSS-OS System (functional tests). The PBS48.OS servers are updated with the plant system deliverables for allowing the PSS-OS to be operated from the Main Control Room (MCR). This integrated operation is performed under the responsibility of the Plant System I&C RO and PBS 48 RO.

In accordance with [RD1] - Plant Control Design Handbook [ITER_D_27LH2V], any deviation from the expected result during the execution of tests must be captured in a uniquely identified issue sheet. This will record all of the information related to the investigation of the root cause of the issue and all of the remedial actions. In these cases the PCDH rules in the “Deviation policy” section should be applied.

Page 53 of 58

12 Standards compliance and SIL assessment

This paragraph introduces methodology for assessment of each safety instrumented system, based on IEC 61511 standard (and complementary on IEC 61508 standard).

The plant system suppliers have to deliver a SIL certified system that meets the safety requirements as described in the IEC 61511. The plant system supplier has to arrange for this certification to be delivered by a third party.

Among activities inside the 3 permanent phases of IEC 61511 standard lifecycle, the evaluation requirement (part of phase 10) manages necessary activities to ensure that the functional safety objectives are met. This activity integrates certification purpose through dedicated step of evaluation requirement.

From IEC 61511 IEC standard Part 1 Section 5.2.6:“A procedure shall be defined and executed for a functional safety assessment in such a way that a judgment can be made as to the functional safety and safety integrity achieved by the safety instrumented system. The procedure shall require that an assessment team is appointed which includes the technical, application and operations expertise needed for the particular installation.”

“At least one functional safety assessment shall be undertaken. This functional safety assessment shall be carried out to make sure the hazards arising from a process and its associated equipment are properly controlled. As a minimum, one assessment shall be carried out prior to the identified hazards being present (i.e. stage 3).”

Figure 13.1: IEC 61511 standard life-cycle

The main associated evaluations to be made are: Project documentation assessment,

Page 54 of 58

Development and product design assessment, Business process assessment, Analysis and studies of operational Safety assessment

o Assessment of failure modes, effects and diagnostic analysis,o Assessment of probability of dangerous failure calculations,

Assessment of verification and validation activities.

In accordance with [RD8] - Usage of IEC 61511 [ITER_D_DMF2CW], refer to IEC 61508 Part 1 section 8.2 about the minimum level of independence of people who carrying out a functional safety assessment.

Page 55 of 58

13 Periodic tests principle

The objective of operation and maintenance phase of Safety System is the mastery over time of integrity level of each Safety functions.Periodic tests permit to manage dangerous failures (undetected by diagnostics) in order to maintain Safety Functions in the probability of failure defined in the risk analysis phase.

These tests can be done either partially or totally, but shall cover the entire Safety System.From IEC 61511 part 1 section 16.3.1:“The entire SIS shall be tested including the sensor(s), the logic solver and the final element(s)”

Contrary to ITER experimental process which is not continuous, SCS-OS (PSS-OS and CSS-OS) shall operate in continue to protect people and environment knowing that process maintenance period are sometimes more critical than operational period (OS functions are generally linked to people presence).

It’s the reason why, the process to perform the periodic tests that are required to maintain the SIL level of the PSS-OS functions has to be considered at the design stage. In order to limit the complexity of the OS I&C function or the need of overrides, it is generally easier to perform the periodic tests when the system protected by the function is stopped, which can happen in many cases during the Long Term Maintenance phase. When it is not possible or suitable, the requirements of the OS I&C functions have to take into account provisions for performing the tests during the PSS-OS operation (additional redundancies, specific overrides…).

Note: For each Safety function, the no respect of periodic tests directly impacts the associated quantitative requirement (PFD or PFH) and consequently the SIL level.From IEC 61511 Part 1 section 16.3.1.3:“The frequency of the proof tests shall be as decided using the PFD average calculation”

Refer to [RD9] - Guidelines for PSS-OS Reliability Assessment [ITER_D_HXQ35R] for more details about association between periodic test and failure calculation.

Page 56 of 58

APPENDIX 1 – Detailed logic hardware lists

Configuration 1 – S7-300 F PLC based architecture with Integrated IO configurationOrder No. Designation Quantity

6ES7317-2FK14-0AB0 Central processing unit CPU317F-2 PN/DP 1

6ES7953-8LL31-0AA0 Micro Memory Card for IM151 CPU and S7-300C 2MB 1

6GK7343-1GX30-0XE0 CP 343-1 Advanced Industrial Ethernet S7-300 2

6ES7326-1BK02-0AB0 Digital input 24DI 24V DC; diagnose fail-safe 2

6ES7326-2BF10-0AB0 Digital output 10DO DC 24V/2A PP; diagnose fail-safe 2

6ES7390-1AJ30-0AA0 Mounting rail 830 mm 1

6ES7392-1AJ00-0AA0 Front connector 20-pole with screw contact 1

6ES7392-1AM00-0AA0 Front connector 40-pole with screw contact 1

6ES7392-1BM01-0AA0 Front connector 40-pole with Cage Clamp terminals 1

Table A1.1: Configuration 1 example - List of logic component

PBS.X Cubicle

PSS-OSRack 0 DIa DOa

MAIN SWITCH BACK-UP SWITCH

RJ45

RJ45

Sensor a

Actuator a

Actuator b

DIb

Sensor b

DOb

Bus 1 Industrial Ethernet

Bus 0 Industrial Ethernet

CPa

CPb

CPU

DP

Figure A1.1: Configuration 1 example - Schema

Page 57 of 58

Configuration 2 – S7-400 F/H PLC based architecture with Distributed IO configurationOrder No. Designation Quantity

6ES7407-0KR02-0AA0 Power supply PS407 10A; AC 120/230V-> DC5V/24V redundant 4

6ES7414-5HM06-0AB0 S7-CPU 414-5H; 2x2MB main memory; 1 MPI/DP 1 DP 2

6ES7952-1AS00-0AA0 RAM Memory Card long; 16 MB 2

6GK7443-1GX20-0XE0 CP 443-1 Advanced Industrial Ethernet S7-400 2

6ES7960-1AB06-0XA0 Synch. Module for Installation Cable 4

6ES7153-2BA02-0XB0 IM 153-2 High Feature for ET200M PROFIBUS DP 6

6ES7953-8LM20-0AA0 Micro Memory Card for IM151 CPU and S7-300C 4MB 3

6ES7326-1BK02-0AB0 Digital input 24DI 24V DC; diagnose fail-safe 3

6ES7326-2BF10-0AB0 Digital output 10DO DC 24V/2A PP; diagnose fail-safe 3

6ES7400-1JA01-0AA0 UR2 central controller/expansion unit; 9 slots K bus 2

6ES7195-1GA00-0XA0 DIN rail for active bus modules 482mm (19") 3

6ES7195-7HB00-0XA0 Active bus module for 2 modules 40mm wide 3

6ES7195-7HC00-0XA0 Active bus module or 1 module 80 mm wide 3

6ES7195-7HD10-0XA0 Active bus module IM/IM for 2 IM153-2 High Feature 3

6ES7392-1BJ00-0AA0 20-pin front connector with spring terminals 3

6ES7392-1BM01-0AA0 Front connector 40-pole with Cage Clamp terminals 6

Table A1.2: Configuration 2 example - List of logic component

Page 58 of 58

PS0a PS0b CPU0

CP0

Sync

Sync

PS1a PS1b CPU1

CP1

Sync

Sync

FO

FO

PSS-OSRack 0

PSS-OSRack 1

IM0a IM1a DIa DI DOa DO

IM0b DI DOb DOIM1b

DP DP

DP DP

DP DP

MAIN SWITCH BACK-UP SWITCH

RJ45 RJ45

PBS.X Cubicle

Sensor a

DIb

Sensor b

Actuator a

Actuator b

IM0c DI DOc DOIM1c

DP DP

DIc

Sensor cActuator c

PSS-OS PeripheryRack 2

PSS-OS PeripheryRack 3

PSS-OS PeripheryRack 4

Bus 0 Profibus

Bus 1 Profibus

Bus 1 Industrial Ethernet

Bus 0 Industrial Ethernet

Figure A1.2: Configuration 2 example - Schema