Industrial Control Systems for the Technical Infrastructure at CERN

P. Ninin, E. Cennini, P. Sollander, D. Blanc, F. Bonthond [email protected] European Organisation for Nuclear Research - CERN, 1211 - Geneva - 23, Switzerland

Abstract 2.1 Introduction Industrial control systems have been used for CERN's Technical Control Room (TCR), is responsible several years for the control of CERN's technical for the overall surveillance and control of the technical infrastructure, particularly for fire and gas detection, access infrastructure. The TCR is an alarm-driven control room in control and cooling water systems. the sense that the arrival of an alarm alerts the operator and Until recently, industrial equipment has been connected makes him take appropriate actions. The operator acts to the control network at the lowest level via CERN upon the alarms primarily by consulting and interacting specific front ends. Since 1993 they have been integrated with mimic diagrams. These human-computer interfaces, using industrial supervision systems drivers. Today the alarms and mimic diagrams have been structured integration is performed using TCP/IP based protocols and systematically and they have been standardised to a large the distributed Technical Data Server (TDS) supervision extent, in spite of the large diversity of installations being system. This paper summarises the evolution of the supervised [1]. Any new installation must be integrated different techniques, the control system architectures harmoniously into this environment. Since 93, Siemens and our integration philosophy. The safety system of the PLCs are being increasingly used and in conjunction the Chorus and Nomad experiments, the West Zone and the PS industrial supervisor FactoryLink has been integrated in cooling water systems are based on Siemens the existing control system for the supervision of four Programmable Logic Controllers (PLC) the Siemens different systems. proprietary fieldbus Sinec L2 and Ethernet protocol Sinec H1, in combination with the driver from the supervisory 2.2 Systems system FactoryLink for data integration into the control room layer. The Access Control and Machine Interlock 2.2.1 Safety applications Safety systems of the SPS accelerator have been implemented using PLCs connected to Sinec L2 fieldbuses We are currently monitoring the refurbished safety and the H1 protocol over a specific Ethernet network. This systems at CERN using the above-mentioned system. The system is entirely supervised by a FactoryLink software systems include fire and gas detection, emergency stop application. The re-engineering of the control of the SPS equipment and other safety related data. The system air conditioning, gas and fire detection uses a new Siemens comprises around 2500 data points controlled by 15 technology for TCP/IP communication and the new different PLCs around the site concept of industrial control system integration of the TDS. 2.2.2 Cooling water west zone The PLCs communicate via TCP/IP on a public Ethernet segment with a TDS Equipment Controller (EC). This The cooling water circuits servicing the CERN 'West process converts and integrates PLC specific data to the Zone' are controlled by two PLCs, programmed and TDS, using an asynchronous data exchange protocol delivered by an external firm. The field bus used for the based on TCP/IP. previous safety system was extended to include these two PLCs. The communication functions for the PLCs 1 Introduction were provided by CERN to ensure compatibility. The TCR monitors approximately 300 data points from this system. Ten years ago, industrial control devices (PLC) or stand alone control systems) were integrated at the lowest level 2.2.3 Cooling circuits of the PS accelerator (Equipment Access layer) of the CERN control system The Proton Synchrotron (PS) had its cooling water using simple protocols such as RS-232. The integration control systems entirely rebuilt in the period 1994-95. The was usually difficult we were still in the era of the "close project was given to an external firm who was asked and proprietary" control system. Today such industrial to deliver a SINEC H1 connection to an HP machine control devices are designed for integration in running FactoryLink. The machine comprises 15 cooling heterogeneous control systems and many options stations controlled by PLCs connected to a concentrator by are offered to the control engineers. This paper will two separate field buses using the SINEC L2 protocol; the illustrate three different options of industrial controls and PLC is itself connected to FactoryLink running on the HP their integration in the CERN control room environment. machine using the SINEC H1 protocol over Ethernet. Due to the large number of equipment parameters controlled 2 Industrial control integration in the TCR and the relative stability of the system, an event driven data acquisition system was implemented. The TCR monitors add-on data acquisition module to FactoryLink in order approximately 1000 points from this system. to be able to use the UMMI.

2.2.4 Cooling circuits for the computer centre 3 SPS access control and machine interlock In 1995, the CERN computer centre cooling circuits were provided with new control facilities. Connecting the 3.1 Introduction and definitions. computer centre PLC to the existing SINEC L2 network for the PS cooling made the integration of this system The safety of personnel entering the accelerator, possible. The TCR monitors 120 points from this system. comprising radiation and electrocution risks, is provided by the Access Control System that conforms to the following 2.3 System architecture rules: Þ All equipment related to beam circulation SYSTEM ARCHITECTURE can only operate when nobody is inside the machine, X-Terminal X-Terminal Þ Personnel are only allowed to enter the machine when dangerous beam circulation equipment is not SL/CO Ethernet in operation and radiation is at a safe level. Considering the above rules and the related consequences, HP - UX HP - UX HP - UX UMMI server FactoryLink CAS the design of the access control system consists of two complementary functional blocks: the Access and Search Interlock and the Machine Interlock System.

Sinec H1 3.2 Systems

Safety. etc. Cooling Central PLC Central PLC 3.2.1 The access and search interlock - A&S. 17 PLCs The purpose of the SPS Access and Search Interlock Sinec L2 Sinec L2 System is to control the different access equipment (doors, 11 PLCs separating grids, shielding doors, etc.), of the various Cooling buildings and sectors of the tunnels, called "Important Fire CoolingLocal PLC Safety Components for the access - ISC-access" LocalFire PLC CoolingLocal PLC LocalFire PLC Local PLC Local PLC 3.2.2 The machine interlock system - MIS. The purpose of the Machine Interlock System is West Zone to control the machine equipment (power supplies, magnets, PLC 1 dumps, beam stoppers, targets, vacuum chambers, etc.), responsible for beam circulation. All this equipment is West Zone PLC 2 called "mportant Safety Components for the machine - ISC-machine".

3.3 Architecture. Figure 1. TCR integration architecture The complete Access Control System of the SPS is based on the tight integration at the "Safety Desk" level of 2.4 Main system characteristics the A&S and the MIS systems. - 4000 points monitored The A&S and MIS have the same logical structure, - 32 Siemens S5 - 115-U PLCs based on local PLCs (managing local interlocks) which - HP Server running FactoryLink and in house communicate to a central controller (managing central alarm and HCI interface interlocks) through dedicated Sinec L2 branches. The central controllers exchange summary data with a 2.5 Control room layer integration master PLC located within the "Safety Desk" of the SPS- The Central Alarm Server (CAS) [1] is the common LEP control room (PCR) using the SINEC H1 protocol. alarm server for all alarms handled by the TCR. It receives The master controller manages the integration of the A&S the alarms from the equipment, and dispatches them to the and MIS through the "resultant master interlock chains". users. Hence a special CAS interface module was The flow of information, through Sinec H1 and L2, can developed and added to the FactoryLink application be summarised as follows : in order to transmit alarms a standard way. - the central controllers receive "commands" from the All mimic diagrams used in the TCR have been FactoryLink supervisor and dispatch them to the local developed using a high-level graphics environment called controllers; the Uniform Man Machine Interface (UMMI) [2]. Again, - the central controllers receive "statuses" from local for reasons of standardisation, we chose to develop an controllers and dispatch them to the HP and process them, in order to provide the master controllers with their communicates to the TDS with a dedicated EC. respective resultant interlocks chains Each system has its own hardware redundancy for data SYSTEM ARCHITECTURE exchange between local, central and master controllers. The global system is also equipped with a dedicated X-Terminal X-Terminal "Service Network" based on RS-232 lines for contingency SL/CO Ethernet reasons, connecting the master controller to the local sites. This network is used to distribute the "Access" database. Display MIS (PC) A&S

MACHINE INTERLOCK SYSTEM ACCESS CONTROL SYSTEM 3.4 Main system characteristics. Intercom Intercom PCR SAFETY TEST KEYS (NORMAL) TEST KEYS (TEST) - 130 access elements (doors, grids, turnstiles, keys, search CCTV DESK CCTV boxes, .etc.), - 600 keys (access and safety keys), - 15 film badge readers (Bar Code reader), Hardwired Master PLC Hardwired - 50 machines (magnets, RF systems, dumps, ...), Lines Lines - 26 Siemens S5-115-U Programmable Logic Controllers - 1 Sinec H1 network, Sinec H1 HP - UX - 6 Sinec L2 networks (up to 5km), Factory Link - HP-UX FactoryLink (V. 4.3.1) application software. A&S Central A&S MIS MIS Central HW Interf. Central PLC Central PLC HW Interf. 3.5 Control room layer integration CCR Central System operators supervise the access system on Sinec L2 Sinec L2 Comms workstations connected to an HP server running Factory PCs Hardwired Hardwired L2 Repeat. L2 Repeat. link. This server is connected via the Sinec H1 network Lines Lines to the master PLC controller. # 15 RS-232 to Local Comms PCs Figure 2.- SPS Access Control and Machine Interlock.

4 SPS fire detection and ventilation systems A&S Local A&S MIS MIS Local HW Interf. Local PLC Local PLC HW Interf. RS-232 network 4.1 Introduction Keys, Grids, Doors, Magnets, RF Systems, The refurbishing of the SPS fire detection and Search Boxes, ... Local Dumps, ... Comms ventilation systems uses a new Siemens technology Sites PC allowing PLCs to communicate directly over TCP/IP, and (BAs) Internal External Monitor Monitor the new concept of industrial control integration and data Cntrl (PC) Cntrl (PC) Film distribution proposed by the TDS [6]. Display Badge Display

4.2 Systems Intercom

The aim of the system is to detect fires in the SPS CCTV accelerator and to automatically activate the tunnel ventilation system according to a predefined plan. The Figure 2.- SPS Access Control and Machine Interlock supervision of these security systems is performed from The TDS interfaces with the EC trough TCP/IP sockets the CERN Technical Control Room (TCR), Safety Control in an oriented connection mode (stream mode). The Room (SCR) and locally from the SPS surface buildings. exchanged messages are defined in the. Generic TDS Equipment Access Protocol (GTEAP)[5]. 4.3 Architecture The delivery of each EC is under the responsibility of The TDS integrates equipment data coming from 3 the company providing the local control system. different sources: Siemens PLCs monitoring the SPS Equipment data has to be defined in an Oracle reference ventilation and fire detection systems and the industrial database (TdrefDB) along with the TDS topology to host Landis and Staefa Visonik control system of the SPS air this new interface. conditioning. The EC may run on any platform selected by the The ventilation and fire detection PLC data company as long as it matches the specification for concentrators communicate via TCP/IP on a public integrating a new device on the control network [6] and Ethernet segment to an Equipment Controller (EC). This that it communicates through TCP/IP. The TDS process converts and integrates PLC specific data frames communicates with ECs on PCs running OS2, PowerPCs to the TDS, using an asynchronous data exchange protocol running Lynx OS and HPs running HPUX. These systems based on TCP/IP. are supervised by the CERN/SL network management The Landis & Staefa Visonik control system system. 4.4 Control room layer integration the technical infrastructure, we have built a Technical Data Server whose distributed architecture allows the The TDS provides equipment data storage in a real time integration of any local control systems via a defined database, alarm delivery to the central alarm server, data protocol based on TCP/IP. logging, automatic sending of command to the equipment, and data delivery to mimic diagrams [7]. Data send by the ventilation and fire detection systems References: will automatically trigger commands to the L&G Visonik [1] "Integrating Industrial Control Systems into the system to alter the ventilation of the tunnels. Control Environment of the Technical Infrastructure of CERN", P. Sollander, D. Blanc, A. 4.5 Main system characteristics Swift, ICALEPCS'95, Chicago, USA, October 30 - - Siemens S5-95-U PLCs to collect data from fire detection November 3, 1995 units and air conditioning systems [2] "Utilisation d'un logiciel commercial graphique pour - Siemens Profibus, le controle des installations techniques du CERN", - Siemens S5-115-U acting as data concentrator, and CERN-ST-MC-TCR/92, October 92 connected to the SPS Ethernet network via a specific [3] "Data Communication Infrastructure Available at TCP/IP card. CERN for Interconnection of Industrial Control - HP servers running the TDS/RTworks processes Systems", Robin Lauckner, Patrick Lienard, Raymond Rauch, CERN-SL 97-14 CO, March 1997. 5 Conclusion [4] "SPS Access Control Renewal: Functional Specifications", TECNOST - April 1997 Industrial control components may be used today at [5] "Technical Data Server V1.0 ICD", P. Ninin & all, every level of the standard model. The robustness of the ST/MC/96-12PN, December 1196 industrial programmable logic controllers and of the field [6] "Integration of Industrial Equipment and Distributed buses makes them very efficient devices for controlling Control Systems into the Control Infrastructure at local processes particularly in "industrial areas" (dust, CERN", October 1997, R.J. Lauckner, R. Rausch, electromagnetic noise). Today the PLCs may be connected ICALEPCS'97, this Conference, Beijing,3-7 to TCP/IP networks easing integration with the control November 1997 room layer. However when integrating several local [7] "Technical Data Server: a Modern Vision of Large control system in a global monitoring system, a clear Scale Supervision" P. Ninin, ICALEPCS'97, this strategy must be defined. At CERN, for the monitoring of Conference, Beijing, 3-7 November 1997