DESIGN PROCESS OF THE INTERLOCK SYSTEM FOR THE COMPACT LINEAR COLLIDER

P. Nouvel¹,²,³, B. Puccio¹, M. Jonker¹, H. Tap²,³,
¹ CERN, Geneva, Switzerland
² CNRS, LAAS, 7 avenue du colonel Roche, F-31400 Toulouse, France,
³ Univ de Toulouse, INP, F-31400 Toulouse, France

Abstract

The Interlock system forms a critical part for the machine protection of linear colliders. Its goal is to inhibit the next pulse either on failure of critical equipment and/or on bad beam quality evaluation. This paper presents the ongoing process to validate design choices for the Compact Linear Collider (CLIC) Interlock System. The design process starts by establishing requirements. In mission-critical system case, these requirements mainly focus on the dependability. Furthermore, the new concept of fast beam quality analysis has been introduced into the CLIC Interlock System and will be discussed in this paper. To support the design process, experimentation with this concept has been launched. In addition, a hardware demonstration of the Interlock System was set up to validate that the design is in concordance with the requirements.

INTRODUCTION

In high energy accelerators field, Interlock Systems are key part of the machine protection systems. At CERN, an Interlock System has been designed for the Large Hadron Collider (LHC). Its development process has brought the usage of a safety-system and systemic approach, resulting in a formalization of the lifecycle of a protection system [1]. The protection systems for the new generations of high power machines, such as the Compact Linear Collider (CLIC), will benefit from this experience and shall integrate this approach in the early stage of their design process.

After introducing the framework, this paper presents the steps of the design process for Interlock System applied to CLIC. The first part describes the requirements establishment. The second part presents the design phase. Finally, the last part gives details about the validation. This process has been inspired by the above mentioned protection system lifecycle and the IEEE 1220-2005 standard : Application and Management of the Systems Engineering Process.

CLIC INTERLOCK SYSTEM FRAMEWORK

CLIC is a linear lepton (positron-electron) collider in the multi-teraelectronvolt (3 TeV) range, designed with a novel two beam approach. It aims to perform precision measurements of the new physics discovered by hadrons colliders (such as the LHC).

The CLIC has a large beam power (up to 70 MW) that can easily destruct part of the machine equipment. Moreover, there are many types of failures that can lead to machine damage: fast failures (e.g., accelerating structure breakdown), inter-cycle failures (e.g., equipment breakdown) and slow failures (e.g., alignment drift). Consequently, several protection strategies have been foreseen [2]: e.g., passive protection, preventing system.

The Interlock System is a key part of the machine protection framework. Its purpose is to increase the machine safety while not decreasing significantly its availability. It is done through preventing uncontrolled energy losses. The interlock system prevents uncontrolled energy losses either by dumping the active beam in the machine or by inhibiting the next machine cycle.

In the CLIC case, at each inter-cycle (i.e., between two pulses), a permit is released. A VETO decision inhibits the beam while a PASS decision does not. This inhibition can be triggered by two types of stimuli. The first type comes from critical equipment of the machine. Equipment is considered as critical when its failure mode may lead to dangerous beam instability. The second type of stimulus comes from the post-pulse analysis done by the Interlock System. This analysis aims to perform a fast beam quality analysis on each pulse during the inter-cycle in order to assert the beam stability.

REQUIREMENTS ESTABLISHMENT

The first step of the design process is to establish requirements. In addition to the functional requirements, the Interlock System has two principal performance requirements.

Response Times

The response time between a failing equipment and the actual machine interlocking must be inferior to 2 ms [2]. The Interlock System is on the critical path (cf. Figure 1) and must be able to change the permit in a fraction of this time.

Figure 1: Critical path to interlock the machine.
Secondly, the post-pulse analysis must be done between two pulses. Considering a 100 Hz beam operation and a delay of 2 ms to receive data, it leaves a maximum time of 6 ms, as shown on Figure 2.

![Figure 2: Response times requirement](image)

**Dependability**

A central attribute of the Interlock System is the dependability and more precisely, its reliability and availability. The determination of these requirements has been done with the methodology from the protection system lifecycle. The first task has been to identify the risks. The hazard chain (Figure 3) helps to analyse which chain of events the interlock system shall prevent.

![Figure 3: Hazard Chain](image)

In the following step the covered risks are analysed. As a first estimate, the figures are based on operational statistics of LHC (Table 1). The consistency of these rates was cross-checked with a method based on availability assumptions. For a next iteration these rates should be issued from a complete CLIC failures catalogue.

<table>
<thead>
<tr>
<th>Type of failure</th>
<th>Machine Failure Rate</th>
</tr>
</thead>
<tbody>
<tr>
<td>Critical Equipment</td>
<td>(2.65 \times 10^{-7}) pulse(^{-1})</td>
</tr>
<tr>
<td>Slow Beam instability</td>
<td>(3.33 \times 10^{-8}) pulse(^{-1})</td>
</tr>
</tbody>
</table>

After setting the reduction risk to be achieved, the third step is to define the tolerable failure rate for the Interlock System (Table 2).

<table>
<thead>
<tr>
<th>Interlock System Failure Mode</th>
<th>Failure Rate</th>
</tr>
</thead>
<tbody>
<tr>
<td>False PASS decision</td>
<td>(4.17 \times 10^{-6}) pulse(^{-1})</td>
</tr>
<tr>
<td>Transient false VETO decision</td>
<td>(0.1) h(^{-1})</td>
</tr>
<tr>
<td>Permanent false VETO decision</td>
<td>(2) year(^{-1})</td>
</tr>
</tbody>
</table>

**Interfaces**

As shown in Figure 1, the Interlock System is interfaced mainly with two other systems.

Both the data to assert the beam quality and the data related to equipment failures are obtained through the same acquisition and control infrastructure. This data is acquired in 20’000 crates along the main Linac, assembled and then dispatched to users tasks running in concentrator crates at the 48 tunnel access shafts. The beam permit (generated by the Interlock System) is delivered to the actuator(s), called target system(s). In the case of CLIC, the targets are amongst others, beam source inhibits, extraction kicker inhibits, dump kickers.

**Functions**

As for the LHC, the beam permit loop (cf. Figure 4) is the backbone of the Interlock System, transmitting the beam permit. A signal is generated by the voting node (i.e., the master) on every single loop. Every node (i.e., the slaves) has the ability to open the loop and will do so as soon as the beam operation is not safe. The permit loop is multiplied to reach the dependability attributes, requiring thus a voting system (e.g., 2-out-of-3).
This allows the usage of a standardized interface for all type of incoming data. The thresholds are defined and managed by their field experts.

In order to assure the post-pulse analysis in the expected time, this idea is to synthesize the data up to the master node. Moreover, an extra layer of concentrating module allows to implement local rules and it complements the local threshold comparison with a global analysis.

**Layout**

Combining the functions and the constraints of the interfaces with the CLIC architecture, the overall system layout is synthesised in Figure 5.

![Figure 5: Interlock System architecture.](image)

**VALIDATION**

**Feasibility Study**

Before advancing further in the design process, a feasibility study is required to validate the design choices.

The beam permit loop is used in the LHC [4] where its feasibility has been amply demonstrated.

Concerning the post-pulse analysis, some existing systems are using related principles [5] [6] but do not integrate the full concept. Consequently, an experiment has been developed (through a JAVA application) in the CTF3 (CLIC Test Facility 3). This demonstration is a beam sequencer applying the post-pulse analysis concept. As a result, it has identified the key points of the concept such as the threshold management, the type of incoming data and the needed strong coordination with the accelerator mode.

**Hardware Validation**

To demonstrate that it will meet the proposed system design, the last step of the process is to prove it will reach the established requirements.

For this purpose a prototype, scaling-down the Interlock System, has been developed with the aim to measure the performance of the system. Once these measurements are made, they must be extrapolated to the CLIC scale by considering the number of modules and the inter-module distance.

The synoptic of this prototype is shown in Figure 6. It is based on five boards, each one with an FPGA as its core. A FMC (FPGA Mezzanine Card) connector allows different front panel solutions. Each board represents a module (master, slave or concentrator) and the last board is used to emulate the acquisition and control infrastructure. The data communication is done with gigabyte transceivers.

The main performances to measure are:

- The response time to trigger an interlock request.
- The response time to perform the post-pulse analysis.
- The failure modes characterization of a single node.

![Figure 6: Interlock System prototype synoptic.](image)

**CONCLUSION AND PERSPECTIVES**

To date, the response time to trigger an interlock request has been measured and extrapolated to 220 $\mu$s, giving a remaining time of 1.58 ms for the acquisition infrastructure to transmit the data. The two other measurements are ongoing.

Following this first process iteration, the new generation should be integrated in the final adopted acquisition and control infrastructure of CLIC. The system should be validated in an operational environment such as the CTF3 in pair with the test of the CLIC module prototype.

**REFERENCES**