Interlock Systems for Machine Protection Manuel Zaera-Sanz Interlocks Engineer – ICS / Protection Systems AD and ICS Retreat mtg 2014 11 December 2014.

Slides:

Advertisements

Similar presentations

Beam Diagnostics for ADS Dirk Vandeplassche SCK  CEN EUCARD-2 — MAX Accelerators for ADS CERN, March 2014.

Advertisements

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #17-1 Chapter 17: Introduction to Assurance Overview Why assurance? Trust and.

ESS Timing System Plans and Requirements Timo Korhonen Chief Engineer, Integrated Control System Division May 19, 2014.

Can We Trust the Computer?

Syllabus Case Histories WW III Almost Medical Killing Machine

An Advanced Linear Accelerator Facility for Microelectronic Dose Rate Studies P.E. Sokol and S.Y.Lee Indiana University.

TUPD02 BEAM DIAGNOSTICS FOR THE ESS BLM BPM Trans Profile Bunch Shape BCM Preliminary System Count A. Jansson, L. Tchelidze, ESS AB, Lund, Sweden Hybrid.

©Ian Sommerville 2000CS 365 Ariane 5 launcher failureSlide 1 The Ariane 5 Launcher Failure June 4th 1996 Total failure of the Ariane 5 launcher on its.

SE 450 Software Processes & Product Metrics Reliability: An Introduction.

ISIS Beam Protection System and MICE operation. Dean Adams 29 Nov 07 Presented by Chris Rogers.

T. Bajd, M. Mihelj, J. Lenarčič, A. Stanovnik, M. Munih, Robotics, Springer, 2010 SAFETY IN INDUSTRIAL ROBOTICS R. Kamnik, T. Bajd and M. Mihelj.

Systems Engineering Approach to MPS Risk Management Kelly Mahoney Presented at the Workshop for Machine Protection in Linear Accelerators.

©Ian Sommerville 2004Software Engineering Case Studies Slide 1 The Ariane 5 Launcher Failure June 4th 1996 Total failure of the Ariane 5 launcher on its.

STUXNET. Summary What is Stuxnet? Industial Control Systems The target/s of Stuxnet. How Stuxnet spreads. The impact of Stuxnet on PLC’s.

 The word "rocket" can mean different things. Most people think of a tall, thin, round vehicle. They think of a rocket that launches into space. "Rocket"

The Ariane 5 Launcher Failure

Status of the FETS Laserwire Scanner David Lee UKNFIC Meeting

Therac 25 Nancy Leveson: Medical Devices: The Therac-25 (updated version of IEEE Computer article)

The Ariane 5 Launcher Failure June 4th 1996 Total failure of the Ariane 5 launcher on its maiden flight.

SNS Integrated Control System SNS Timing Master LA-UR Eric Bjorklund.

CS 4001Mary Jean Harrold 1 Can We Trust the Computer?

Chapter 14 Part II: Architectural Adaptation BY: AARON MCKAY.

FAULT TREE ANALYSIS (FTA). QUANTITATIVE RISK ANALYSIS Some of the commonly used quantitative risk assessment methods are; 1.Fault tree analysis (FTA)

Chamonix Risks due to UPS malfunctioning Impact on the Superconducting Circuit Protection System Hugues Thiesen Acknowledgments:K. Dahlerup-Petersen,

Programmable Logic Educating Assurance Engineers NASA Glenn Research Center Kalynnda Berens (PI) Jackie Somos (Course designer)

Building Dependable Distributed Systems Chapter 1 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University

Software Testing and Quality Assurance Software Quality Assurance 1.

AAE 450- Propulsion LV Stephen Hanna Critical Design Review 02/27/01.

SNS Integrated Control System Timing Clients at SNS DH Thompson Epics Spring 2003.

Issues in Accelerator Control Bob Dalesio, December 23, 2002.

1 BROOKHAVEN SCIENCE ASSOCIATES Redundancy Requirements for Critical Devices R. Casey August 8, 2007.

PLC Workshop at ITER, 4-5 th of December 2014 A. Nordt, ESS, Lund/Sweden.

This material is based upon work supported by the U.S. Department of Energy Office of Science under Cooperative Agreement DE-SC , the State of Michigan.

Timing Requirements for Spallation Neutron Sources Timing system clock synchronized to the storage ring’s revolution frequency. –LANSCE: MHz.

PIP Status Report Linac Startup plans 12/05/2012.

Software Defects.

Machine Protection at the 1MW CEBAF Electron Accelerator and Free Electron Laser Facility Kelly Mahoney Presented at the Workshop for.

K.Hanke – PS/SPS Days – 19/01/06 K.Hanke - PS/SPS Days 19/01/06 Recommissioning Linac2/PSB/ISOLDE from CCC  remote operation from CCC  upgrades & changes.

Preliminary Functional Analysis of ESS Superconducting Radio-Frequency Linac C. Darve, N. Elias, J. Fydrych, D. Piso European Spallation Source ESS AB,

Status of KEK 150MeV FFAG M. Aiba (KEK) For KEK FFAG Gr. FFAG’05, 5 to 9 Dec., KURRI.

Know the threat caused by high levels of radiation Comprehend the hazard of impact damage to spacecraft Comprehend the threats associated with surface.

FORMAL METHOD. Formal Method Formal methods are system design techniques that use rigorously specified mathematical models to build software and hardware.

BEAM INSTRUMENTATION GROUP DEPENDABILITY APPROACH CERN, Chamonix 26th January 2016 William Viganò

Beam on Target Diagnostics Beam on Target Meeting 2013 March Tom Shea.

Practical experience with the AD Stochastic Cooling Murphy’s Law R. Louwerse.

Personnel Safety Systems Stuart Birch Senior Engineer, Personnel Safety Systems November 6 th, 2014.

Topic 10Summer Ariane 5 Some slides based on talk from Sommerville.

Test and Development of the High Powered Helicon Thruster.

Mitigation Devices External Interface ICS Nick Levchenko Lund Date:

Summary of Session 1 - CLIC MP workshop 6-8/6/2012, R.Schmidt 1.

Machine Protection Systems (MPS) Arden Warner, and Jim Steimel Project X Machine Advisory Committee March 18-19, 2013.

M. Munoz April 2, 2014 Beam Commissioning at ESS.

Failure Analysis Tools at DESY. M. Bieler, T. Lensch, M. Werner, DESY ARW 2013, Melbourne,

Design process of the Interlock Systems Patrice Nouvel - CERN / Institut National Polytechnique de Toulouse CLIC Workshop Accelerator / Parameters.

LEDA Vacuum Interlocks Bob Dalesio. Outline Leda vacuum system – displays and interfaces PLC Interlocks as presented to the operator EPICS interlock to.

ESS Timing System Plans Timo Korhonen Chief Engineer, Integrated Control System Division Nov.27, 2014.

Reliability and Performance of the SNS Machine Protection System Doug Curry 2013.

FUNDAMENTALS OF COMPUTER SYSTEMS Lesson 1. Starter What is the difference between hardware and software?

Functional Safety in industry application

Introduction; Machine protection, experience and challenges: Review of existing solutions and challenges faced by future installations Purpose of machine.

Introduction to Assurance

BE-BI Software for LINAC4

COMP60611 Directed Reading 1: Therac-25

ECE 103 Engineering Programming Chapter 2 SW Disasters

CSNS Accelerator Control and Beam Instrumentation JIN Dapeng, XU Taoguang … June 9, 2015

Interlocking of CNGS (and other high intensity beams) at the SPS

Safety Instrumented Systems

Software Engineering for Safety: a Roadmap

(Beam) Commissioning Plan

UITF Conduct of Operations Review

Presentation transcript:

Interlock Systems for Machine Protection Manuel Zaera-Sanz Interlocks Engineer – ICS / Protection Systems AD and ICS Retreat mtg December 2014

Murphy’s laws on critical systems... -“Sooner or later, the worst possible combination of circumstances will happen” -“If a system stops working, it will do it at the worst possible time” -“Any SW bug will tend to maximize the damage” -“The worst SW bug will be discovered six months after the field test” -“Damage to an object is proportional to its value” -“If something can go wrong, it will go wrong” 211 DEC 2014AD and ICS Retreat mtg 2014

Some real-world examples... -An error in a data type conversion for horizontal speed computation provoked the explosion of the Ariane V first flight (Jun 1996) -A design fault of the upper stage of the Soyuz rocket (freezing the fuel of the thrusters), sent Galileo satellites into wrong orbits (August 2014) -Philae robotic lander (Rosetta mission) landed in a shadow area of the comet due to a failure in the harpoons propulsion system (Nov 2014) -The RADAR of the NORAD defense system misunderstood the moon by an enemy missile (1979) -A 767 plane (United Airlines) was frozen due to the system for fuel saving was “too much” efficient (Aug 1983) -An error in a soviet missile implied that the target was Hamburg instead of the Artic ocean (Dec 1984) 311 DEC 2014AD and ICS Retreat mtg 2014

Barriers to prevent failures: Fault Avoidance (FA) & Fault Tolerance (FT) 411 DEC 2014AD and ICS Retreat mtg 2014 DESIGN & SPECIFICATION IMPLEMENT. & VALIDATION INTERNAL PHYSICAL CAUSES EXTERNAL PHYSICAL CAUSES INTERACTION & OPERATION ORIGIN FAULTS SOFTWARE FAULTS HARDWARE FAULTS CONSEQUENCES FAULTS Barrier I FA Barrier II FT ERRORSERRORS Barrier III FT FAILURESFAILURES

Those barriers are not enough... Interlocks for machine protection: Protection of equipment, taking the proper actions to avoid any damage with a high confidence (highly dependable) defined in a previous risk analysis Interlocks for machine protection at ESS: Devices used to protect the investment, i.e., our linear accelerator (its equipment) and the target, by taking the proper actions to stop/allow beam operation and abort/allow powering 511 DEC 2014AD and ICS Retreat mtg 2014

Our mission statement 11 DEC 2014AD and ICS Retreat mtg Objectives: – Protect the Investment (1800 MEURO) A LINAC without interlocks is “like a car without brakes” – Protect the beam: No beam => No neutrons – Provide the evidence How ? Using programmable electronics and hardwired links => Slow and Fast machine protection systems

Slow machine protection systems 11 DEC 2014AD and ICS Retreat mtg Equipment to be protected: – Magnets (Magnet Powering Interlocks) – Vacuum system – Insertable devices (Faraday cups, wire scanners) – Target system How ? – Using PLCs (Programmable Logic Controllers) – Following standard IEC (no need of certification)

Fast machine protection systems 11 DEC 2014AD and ICS Retreat mtg Equipment to be protected: – Ion source status – Choppers – Steerers – RFQ (Radio Frequency Quadruple) – Raster Magnets – Beam diagnostics (Beam Loss Monitors, Beam current monitors) – RF system How ? – Using FPGAs (Field Programmable Gate Arrays) – Following standard IEC (no need of certification)

Conclusions 11 DEC 2014AD and ICS Retreat mtg Interlocks for machine protection is protecting an investment of 1800 MEURO LINAC => Critical system Unique and complex machine with many non-linear components and interactions High power pulses of up to 5 14Hz High availability required (95 %) Failures may occur even if fault avoidance and fault tolerance techniques are used, therefore a high dependable interlocks system is required