Advancing the ITER interlock system

 

"We are using standard ITER cubicles, which are more than two metres tall," says Alvaro Marqueta, Interlock Systems Responsible Officer. "We have a variety of technologies inside—programmable logic controllers, IT servers, and field programmable gate arrays."

 

KEPCO didn't work alone on this project, which began in September 2013—South Korea's National Fusion Research Institute and the firm Mobiis also helped. In addition, most of the ITER Members provided engineering support, prototyping and testing to help with the development of the system, while the ITER central interlock system team provided the overall specifications.

 

 

The central interlock system and a number of local elements (called plant interlock systems) make up the ITER interlock system, which protects the ITER investment by ensuring that no failure of a key system can damage machine integrity or availability. The main sources of risk are the superconducting magnets and associated systems, plasma heating and fuelling equipment, cooling systems, and the plasma itself.

 

"The local controllers only have a local scope," says Marqueta. "But the central interlock has a global view: it monitors the local systems and makes decisions accordingly. When an event that occurs in one plant system affects others, the central interlock system sends commands to the associated plant interlock systems. While these decisions are made quickly and automatically, the central interlock system also reports status to operators in the main control room, who may override with corrective actions."

 

The slow architecture, based on programmable logic controllers (PLCs), is for functions that need response times between 100 ms and 1 s. "Two crucial PLC features we use are called 'F-H,' for fail-safe and high availability," says Marqueta. "If a PLC fails, it will fail in a predictable way into a know state, which is a safe state. In other words, they will not fail into a random state. High availability means that two PLCs work together in tandem; if one fails, the other can take over."

 

The fast architecture is needed for events that require a reaction time in the range of 100-300 ms. This includes plasma-related interlock events such as a heating system stoppage or a disruption mitigation system trigger. The fast architecture is based on field programmable gate arrays (FPGAs), which offer a faster response than PLC. An important component of the fast architecture is the plasma protection module, which is in charge of interlock functions relating to the plasma.

 

In addition to the slow and fast architectures, a third architecture was designed to directly connect all subsystems involved in the powering and protection of magnets, with no central coordination. This third arrangement, called the hardwired architecture, is used to synchronize all the systems involved in a fast discharge of the superconducting coils. Hardwired loops are connected directly to sensors and actuators of different systems in order to maximize integrity and simplicity.

 

 

Most of the components of the interlock system are provided as in-kind contributions from the ITER Domestic Agencies, who in turn contract the work to suppliers. The result is a set of computers and controllers from as many as 35 different countries that have to work in concert to form the crucial ITER interlock system. The job of the central interlock system team is to make sure it all works.

 

"Not only are we responsible for the design of the central interlock systems," says Marqueta, "but we also have to ensure interoperability. To do this, we establish guidelines for the development of plant interlock systems—and we provide support as needed."

 

As the pieces come together in southern France, the interlock team tests each of the systems to make sure they work to standard. Eventually they will test all the components together to verify they interoperate to a level that will ultimately protect the ITER investment.