Control systems

Advancing the ITER interlock system

On 6 March 2020, the Korean company KEPCO Engineering & Construction completed manufacture of the first set of cubicles that constitute the ITER central interlock system—the control system designed for machine protection.
Part of the ITER central interlock team after the completion of final validation checks on the first cubicles to arrive. The central interlock system is being procured directly by the ITER Organization (i.e., not through an ITER Domestic Agency). Ultimately, the cubicles will be installed in the ITER Control Building.
Much like what is used in data centres, the cubicles manufactured (and later delivered) by KEPCO are rack structures of a standard size, containing servers and storage units—and running software. Ultimately, they will be installed in the main Control Building.
 
"We are using standard ITER cubicles, which are more than two metres tall," says Alvaro Marqueta, Interlock Systems Responsible Officer. "We have a variety of technologies inside—programmable logic controllers, IT servers, and field programmable gate arrays."
 
KEPCO didn't work alone on this project, which began in September 2013—South Korea's National Fusion Research Institute and the firm Mobiis also helped. In addition, most of the ITER Members provided engineering support, prototyping and testing to help with the development of the system, while the ITER central interlock system team provided the overall specifications.
 
Protecting the ITER investment
 
The central interlock system and a number of local elements (called plant interlock systems) make up the ITER interlock system, which protects the ITER investment by ensuring that no failure of a key system can damage machine integrity or availability. The main sources of risk are the superconducting magnets and associated systems, plasma heating and fuelling equipment, cooling systems, and the plasma itself.
 
"The local controllers only have a local scope," says Marqueta. "But the central interlock has a global view: it monitors the local systems and makes decisions accordingly. When an event that occurs in one plant system affects others, the central interlock system sends commands to the associated plant interlock systems. While these decisions are made quickly and automatically, the central interlock system also reports status to operators in the main control room, who may override with corrective actions."
 
The final validation of the central interlock operation screens and functionality was performed in Seoul by the ITER team and the Korean supplier.
Dedicated networks connect the plant interlock systems to the central interlock system. Two separate architectures have been designed to service different kinds of events, depending largely on the response time required. Not surprisingly, the two independent infrastructures are referred to as slow and fast.

The slow architecture, based on programmable logic controllers (PLCs), is for functions that need response times between 100 ms and 1 s. "Two crucial PLC features we use are called 'F-H,' for fail-safe and high availability," says Marqueta. "If a PLC fails, it will fail in a predictable way into a know state, which is a safe state. In other words, they will not fail into a random state. High availability means that two PLCs work together in tandem; if one fails, the other can take over."
 
The fast architecture is needed for events that require a reaction time in the range of 100-300 ms. This includes plasma-related interlock events such as a heating system stoppage or a disruption mitigation system trigger. The fast architecture is based on field programmable gate arrays (FPGAs), which offer a faster response than PLC. An important component of the fast architecture is the plasma protection module, which is in charge of interlock functions relating to the plasma.
 
In addition to the slow and fast architectures, a third architecture was designed to directly connect all subsystems involved in the powering and protection of magnets, with no central coordination. This third arrangement, called the hardwired architecture, is used to synchronize all the systems involved in a fast discharge of the superconducting coils. Hardwired loops are connected directly to sensors and actuators of different systems in order to maximize integrity and simplicity.
 
Coordinating all the components
 
Most of the components of the interlock system are provided as in-kind contributions from the ITER Domestic Agencies, who in turn contract the work to suppliers. The result is a set of computers and controllers from as many as 35 different countries that have to work in concert to form the crucial ITER interlock system. The job of the central interlock system team is to make sure it all works.
 
"Not only are we responsible for the design of the central interlock systems," says Marqueta, "but we also have to ensure interoperability. To do this, we establish guidelines for the development of plant interlock systems—and we provide support as needed."
 
As the pieces come together in southern France, the interlock team tests each of the systems to make sure they work to standard. Eventually they will test all the components together to verify they interoperate to a level that will ultimately protect the ITER investment.