Presentation is loading. Please wait.

Presentation is loading. Please wait.

Beam Interlock System Design H. Pavetits 1 PR-110627-a-HPA, June 27th, 2011.

Published byLillian Hoover Modified over 9 years ago

Similar presentations

Presentation on theme: "Beam Interlock System Design H. Pavetits 1 PR-110627-a-HPA, June 27th, 2011."— Presentation transcript:

1 Beam Interlock System Design H. Pavetits 1 PR-110627-a-HPA, June 27th, 2011

2 Background Causes Device malfunctions Unintended irradiation Effects Damage of equipment Persons are harmed Analysis Identify 1) hazards, 2) causes, 3) effects Determine 1) severity and 2) probability Risk = Severity x Probability If risk outside of accepted level foresee risk reduction measure H. Pavetits SmallMediumSevere Catastro phic Always 1 Often Occasion al Seldom 2 Unlikely 3 PR-110627-a-HPA, June 27th, 2011 2

3 Lines of Defense 1.Operate accelerator in a responsible manner 1.Establishment of user manuals and rules 2.Training of personnel 3.Communication among persons 2.Mechanisms in software 1.Exclusive allocation of machine partitions, devices before use 2.Automatic control of protection mechanisms as part of automated procedures 3.Patrol disables access to electronically controlled areas 3.Local safety functions in devices and device groups 4.Beam Interlock System steps in if all other measures fail H. Pavetits PR-110627-a-HPA, June 27th, 2011 3

4 Remaining Risk Control Primary risk control done through operation procedures Operation procedures may fail Hazards that may occur due to software malfunction are assumed to occur with 100% probability Remaining Risk Reduction Measures operation procedures fails -> address remaining risk first at device level local measures insufficient -> involve the BIS H. Pavetits PR-110627-a-HPA, June 27th, 2011 4

5 Goals of the BIS First reduce risk for persons to be harmed Due to conflicting commands intended for beam generation Second protect machine components from damage Due to conflicting commands The scope of the BIS is to act as a functional safety mechanism for the particle accelerator H. Pavetits The BIS reduces the risks of harming people and damaging equipment due to device malfunction and unintended irradiation with respect to the particle accelerator’s operation PR-110627-a-HPA, June 27th, 2011 5

6 Out of Scope Ensure safe access to accelerator devices for service activities (to be covered by local safety measures) Protect patients from beams that deviate from nominal characteristics Protect people from hazards that do not originate from the particle accelerator Unforeseeable misuse including disregard and ignorance of established intended uses H. Pavetits The following tasks are not addressed by the BIS PR-110627-a-HPA, June 27th, 2011 6

7 Processor Concept H. Pavetits Logic SensorActuator Input Module Output Module Scope of System WPs need to identify WHAT are their sensors and WHAT are their actuators PR-110627-a-HPA, June 27th, 2011 7

8 Separation of Concerns Functionality covered by BIS Listen to signals Generate signals Process defined rules To be covered by WPs Sensors Actuators Risk analysis for individual devices Common risk analysis with WP CO Definition of conditions to act together with other WPs H. Pavetits PR-110627-a-HPA, June 27th, 2011 8

9 H. Pavetits Sensors and Actuators PR-110627-a-HPA, June 27th, 2011 9

10 Reaction time Order of “cycle” durations Faster than human: look – decide – act Slower than dedicated safety systems 1500 Inputs / 900 Outputs Central processing Network with IO modules Orthogonal to the other systems H. Pavetits Characteristics System components PR-110627-a-HPA, June 27th, 2011 10

11 De-energize to Trip (DTT) De-energize To Trip cause of harm is active when the input is logical “0” and when the effect is active the output is logical “0”. Devices states may represent multiple harms Harm to other equipment, different harms to persons under different conditions Suggested to have interlock signal per harm condition Examples Magnet overheated -> temperature switch open = circuit open Door open = circuit open Power converter fails -> circuit open Stop button pressed = circuit open H. Pavetits PR-110627-a-HPA, June 27th, 2011 11

12 Orthogonality BIS rules are only based on input levels: !Keep it simple! No notion of operation modes Control of complexity due to multiplication and differentiation of rules Risk to set the wrong mode, forget mode switching There is no single accelerator mode (machine can be partitioned) No notion of cycles Need to be able to work across cycle boundaries Safety by design of components BIS does not signal interlock condition absence of a signal -> device moves to a state in which it does not represent harm to identified persons or equipment device remains in this state until a control action (human or procedure) happens Device does not react to control action that requests the device’s operation H. Pavetits PR-110627-a-HPA, June 27th, 2011 12

13 Safe State/Operational State Are device specific Are defined by each WP for each device May require interaction with other WPs Are documented by WP H. Pavetits PR-110627-a-HPA, June 27th, 2011 13

14 Siemens Simatic Safety Matrix Table based interface Cause & effect method Siemens PLCs and I/O Modules Reliable, flexible and scalable Profibus I/O network Distributed I/O Modules to interconnect racks H. Pavetits Hardware / Software Design PR-110627-a-HPA, June 27th, 2011 14

15 STEP 7 Safety-Matrix H. Pavetits PR-110627-a-HPA, June 27th, 2011 15

16 User Interface I H. Pavetits 128 1024 Configured example Matrix PR-110627-a-HPA, June 27th, 2011 16

17 User Interface II - Causes H. Pavetits PR-110627-a-HPA, June 27th, 2011 17

18 User Interface III - Effects H. Pavetits PR-110627-a-HPA, June 27th, 2011 18

19 User Interface IV - Intersections H. Pavetits PR-110627-a-HPA, June 27th, 2011 19

20 User Interface V - Reports Automatically generated by Safety-Matrix Required for approval of the safety program by the authorities Event-report also generated H. Pavetits PR-110627-a-HPA, June 27th, 2011 20

21 Structure of the PLC program Siemens PLC programs are structured in OBs Standard programming languages: LAD (ladder logic) STL (statement list) FBD (function block diagram) Additional languages: CFC (continuous function chart) Safety-Matrix Compiling steps: Safety-Matrix → CFC ↘ Machine code ↗ LAD, STL, FBD H. Pavetits PR-110627-a-HPA, June 27th, 2011 21

22 Some OB definitions of Siemens systems Different priorities of the OBs can be defined PLC program OB no.Purpose 1-9Cyclic program code 10-17Time of day interrupt 20-23Time delay interrupt 30-38Cyclic interrupt (10ms-5s) 40-47Hardware interrupt 100Warm restart 101Hot restart 102Cold restart H. Pavetits PR-110627-a-HPA, June 27th, 2011 22

23 CFC – Safety-Matrix H. Pavetits Output runtime group Matrix runtime groups PR-110627-a-HPA, June 27th, 2011 23

24 Few matrices possible (recommended less than 10) At most 128 causes and 128 effects per Matrix Outputs cannot be shared by matrices H. Pavetits Characteristics of Safety-Matrix PR-110627-a-HPA, June 27th, 2011 24

25 Constraints Total number of I/Os per matrix (128 x 128) An output to a device can only be controlled by 1 matrix Hierarchies of matrices lead to uncontrolled reaction times Up to 2 seconds from input to output Number of individual rules must be Flexible enough to allow selective activation of safety functions Prevent entire shutdown of plant due to isolated hazards Prevent selective shutdown of plant due to linked chains H. Pavetits PR-110627-a-HPA, June 27th, 2011 25

26 Realization H. Pavetits PR-110627-a-HPA, June 27th, 2011 26

27 PCO / Magnets Sources + LEBT PCO / Magnets Injector RF + MEBT PCO / Magnets MR + EX PCO / Magnets EX PCO / Magnets + MTE IR1 + IR2 PCO / Magnets + MTE IR3 + IR4 Shared Outputs Emergency devices Shared Outputs Beam stoppers Sources RF devices... Emergency Inputs Stop buttons SMS PCS RP... Emergency Outputs “2 nd level interlock” of PCO’s Other matrices Shared Inputs Other matrices RF devices Vacuum controllers Beam stoppers H. Pavetits Defined Matrices PR-110627-a-HPA, June 27th, 2011 27

28 Response time Safety-Matrix I Cycle Time [ms]ConverterMatr. ConverterTime [ms] 5032 5-50 50672 70-130 501176 80-100 200321 100 3003211 130-200 35032111 140-400 400321111 160-350 45032121 160-500 5006413132230-540 60032161 950-1200 650128161321200 700781161321000-1500 H. Pavetits PR-110627-a-HPA, June 27th, 2011 28

29 Response time Safety-Matrix II H. Pavetits PR-110627-a-HPA, June 27th, 2011 29

30 Current Design State of the BIS H. Pavetits Response time ≤ 400 ms PR-110627-a-HPA, June 27th, 2011 30

31 Device specific Interlock conditions H. Pavetits PR-110627-a-HPA, June 27th, 2011 31

32 Injector RF H. Pavetits PR-110627-a-HPA, June 27th, 2011 Inj. RF ¬Veto ¬OFF Amp 1 ¬Veto ¬Op ¬Error ¬OFF Amp 2 ¬Veto ¬OFF Amp 3 ¬Veto ¬OFF Amp 4 ¬Veto ¬OFF LLRF ¬Veto ¬OFF ¬Op ¬Error ¬Op ¬Error ¬Op ¬Error ¬Op ¬Error ¬Op ¬Error OR =“1” 32

33 Beam stoppers H. Pavetits PR-110627-a-HPA, June 27th, 2011 Beam St. ¬IN ¬OUT OUT Safety- Matrix PCS DoorBS ¬IN Switch Dp Safety- Matrix with delay chopper All Sw. Dp BS ¬OUT delay 33

34 BDI-devices H. Pavetits PR-110627-a-HPA, June 27th, 2011 Only for moveable devices in Sx, LEBT, MEBT FCN ¬Error FCN Sx 34

35 Status H. Pavetits PR-110627-a-HPA, June 27th, 2011 35

36 Conclusion Safety-Matrix tool was evaluated A design of the BIS was developed Solution for number of required inputs and outputs elaborated Solution for maximum response time from input change to actuation of corresponding outputs in the order of 600 msecs elaborated Communication between the PLC and WinCC OA was tested H. Pavetits PR-110627-a-HPA, June 27th, 2011 36

37 Outlook / Schedule PR-110627-a-HPA, June 27th, 2011 H. Pavetits Low priority: Improvement of the Safety-Matrix response time DateActivities Until 12/2011Risk workshops for all WPs Until 02/2012Definition of all interlock chainsDescription of PCS Starting with 02/2012Programming the BIS 37

Download ppt "Beam Interlock System Design H. Pavetits 1 PR-110627-a-HPA, June 27th, 2011."

Similar presentations

André Augustinus 15 March 2003 DCS Workshop Safety Interlocks.

André Augustinus 15 March 2003 DCS Workshop Safety Interlocks.
Unit 7 Discrete Controllers

Unit 7 Discrete Controllers
André Augustinus 16 June 2003 DCS Workshop Safety.

André Augustinus 16 June 2003 DCS Workshop Safety.
WHAT IS AN OPERATING SYSTEM? An interface between users and hardware - an environment architecture ” Allows convenient usage; hides the tedious stuff.

WHAT IS AN OPERATING SYSTEM? An interface between users and hardware - an environment "architecture ” Allows convenient usage; hides the tedious stuff.
1/1/ / faculty of Electrical Engineering eindhoven university of technology Architectures of Digital Information Systems Part 1: Interrupts and DMA dr.ir.

1/1/ / faculty of Electrical Engineering eindhoven university of technology Architectures of Digital Information Systems Part 1: Interrupts and DMA dr.ir.
1 BROOKHAVEN SCIENCE ASSOCIATES NSLS-II Shielding Workshop S. Buda Personnel Protective Systems March 27, 2007.

1 BROOKHAVEN SCIENCE ASSOCIATES NSLS-II Shielding Workshop S. Buda Personnel Protective Systems March 27, 2007.
Rexroth IndraDrive Integrated Safety Technology

Rexroth IndraDrive Integrated Safety Technology
WP CO Status and Progress December 8th, 2010 Johannes Gutleber PR-101207-a-JGU, December 8th, 2010 J. Gutleber 1 R. Gutleber.

WP CO Status and Progress December 8th, 2010 Johannes Gutleber PR a-JGU, December 8th, 2010 J. Gutleber 1 R. Gutleber.
MotoHawk Training Model-Based Design of Embedded Systems.

MotoHawk Training Model-Based Design of Embedded Systems.
Switchgears Control Using SCADA System Based on PLC

Switchgears Control Using SCADA System Based on PLC
1: Operating Systems Overview

1: Operating Systems Overview
OPERATING SYSTEM OVERVIEW

OPERATING SYSTEM OVERVIEW
INPUT/OUTPUT ORGANIZATION INTERRUPTS CS147 Summer 2001 Professor: Sin-Min Lee Presented by: Jing Chen.

INPUT/OUTPUT ORGANIZATION INTERRUPTS CS147 Summer 2001 Professor: Sin-Min Lee Presented by: Jing Chen.
Controlling Hazardous Energy

Controlling Hazardous Energy
Chapter 8 Output Modules.

Chapter 8 Output Modules.
Part II AUTOMATION AND CONTROL TECHNOLOGIES

Part II AUTOMATION AND CONTROL TECHNOLOGIES
Ekrem Kocaguneli 11/29/2010. Introduction CLISSPE and its background Application to be Modeled Steps of the Model Assessment of Performance Interpretation.

Ekrem Kocaguneli 11/29/2010. Introduction CLISSPE and its background Application to be Modeled Steps of the Model Assessment of Performance Interpretation.
Safety concept and scope for WP Controls Fabian Moser February 5, 2010.

Safety concept and scope for WP Controls Fabian Moser February 5, 2010.
Designing a HEP Experiment Control System, Lessons to be Learned From 10 Years Evolution and Operation of the DELPHI Experiment. André Augustinus 8 February.

Designing a HEP Experiment Control System, Lessons to be Learned From 10 Years Evolution and Operation of the DELPHI Experiment. André Augustinus 8 February.
LOGO OPERATING SYSTEM Dalia AL-Dabbagh 120090285.

LOGO OPERATING SYSTEM Dalia AL-Dabbagh

Similar presentations

Ads by Google