Functional Safety Systems for Machine Protection, Personnel Safety
Paper Title Page
WEBR01 RomLibEmu: Network Interface Stress Tests for the CERN Radiation Monitoring Electronics (CROME) 581
 
  • K. Ceesay-Seitz, H. Boukabache, M. Leveneur, D. Perrin
    CERN, Geneva, Switzerland
 
  The CERN RadiatiOn Monitoring Electronics are a modular safety system for radiation monitoring that is remotely configurable through a supervisory system via a custom protocol on top of a TCP/IP connection. The configuration parameters influence the safety decisions taken by the system. An independent test library has been developed in Python in order to test the system’s reaction to misconfigurations. It is further used to stress test the application’s network interface and the robustness of the software. The library is capable of creating packets with default values, autocompleting packets according to the protocol and it allows the construction of packets from raw data. Malformed packets can be intentionally crafted and the response of the application under test is checked for protocol conformance. New test cases can be added to the test case dictionary. Each time before a new version of the communication library is released, the Python test library is used for regression testing. The current test suite consists of 251 automated test cases. Many application bugs could be found and solved, which improved the reliability and availability of the system.  
slides icon Slides WEBR01 [1.321 MB]  
DOI • reference for this paper ※ https://doi.org/10.18429/JACoW-ICALEPCS2021-WEBR01  
About • Received ※ 10 October 2021       Revised ※ 18 October 2021       Accepted ※ 02 February 2022       Issue date ※ 24 February 2022
Cite • reference for this paper using ※ BibTeX, ※ LaTeX, ※ Text/Word, ※ RIS, ※ EndNote (xml)  
 
WEBR02 Towards the Optimization of the Safety Life-Cycle for Safety Instrumented Systems 586
 
  • B. Fernández Adiego, E. Blanco Viñuela, Th. Otto, R. Speroni, G. de Assis Schmidt
    CERN, Geneva, Switzerland
 
  The design and development of Safety Instrumented Systems (SIS) according to the IEC 61511 standard is a long and costly process. Although the standard gives recommendations and guidelines for each phase of the safety life-cycle, implementing them is not a simple task. Access to reliability data, hardware and systematic safety integrity analysis, software verification, generation of reports, guarantee of traceability between all the phases and management of the project are some of the main challenges. In addition, some of the industrial processes or test-benches of large scientific installations are in continuous evolution and changes are very common. This adds extra complexity to the management of these projects. This paper presents an analysis of the safety life-cycle workflow and discusses the biggest challenges based on our experience at CERN. It also establishes the basis for a selection of the tools for some of the safety life-cycle phases, proposes report templates and management procedures and, finally, describes the roles of the different members in our functional safety projects.  
slides icon Slides WEBR02 [2.603 MB]  
DOI • reference for this paper ※ https://doi.org/10.18429/JACoW-ICALEPCS2021-WEBR02  
About • Received ※ 07 October 2021       Revised ※ 22 October 2021       Accepted ※ 21 December 2021       Issue date ※ 25 February 2022
Cite • reference for this paper using ※ BibTeX, ※ LaTeX, ※ Text/Word, ※ RIS, ※ EndNote (xml)  
 
WEBR03 The Fast Protection System for CSNS Accelerator 593
 
  • Y.L. Zhang, D.P. Jin, P. Zhu
    IHEP, Beijing, People’s Republic of China
 
  The fast protection system for CSNS accelerator is a FPGA based protection system. The VME bus and SFP was adopted by the FPS. The FPS includes one central station and several sub-stations, and connnections between the central and the sub-stations are in star style. Two kinds of beam stopping modes are designed and implemented by FPS, one is the transient beam stopping and auto recovery mode, the other is the permanent beam stopping mode. The measured response time for the FPS is less than 1.5 micro-seconds.  
slides icon Slides WEBR03 [2.773 MB]  
DOI • reference for this paper ※ https://doi.org/10.18429/JACoW-ICALEPCS2021-WEBR03  
About • Received ※ 19 October 2021       Revised ※ 25 January 2022       Accepted ※ 06 February 2022       Issue date ※ 11 February 2022
Cite • reference for this paper using ※ BibTeX, ※ LaTeX, ※ Text/Word, ※ RIS, ※ EndNote (xml)  
 
WEBR04 Safeguarding Large Particle Accelerator Research Facility- A Multilayer Distributed Control Architecture 596
 
  • F. Tao
    SLAC, Menlo Park, California, USA
 
  Personnel Protection System (PPS) at SLAC is a global safety system responsible for protecting personnel from radiation hazards. The system’s functional design shares similar concepts with machinery safeguarding, though the complexity of PPS is much higher due to its wide geographic distribution, large numbers of devices, and multiple sources of hazards. In this paper, we will first introduce the multilayer distributed control system architecture of SLAC’s PPS, which serves three beam programs, e.g., LCLS, LCLS-II and FACET-II, that exist in the same 4km linear accelerator infrastructure. Composed of 50+ sets of redundant safety PLCs and 20+ access control PLCs, SLAC’s PPS has five layers: beam program, beam switching and permit, zone access control, zone safety control and sensor/shutoff subsystems. With this architecture, safety functions often involve multiple controllers across several layers, make it a challenge on system analysis, design, and testing. Therefore, in this paper, we will also discuss SIL verification, and PPS’s functional safety related issues for this type of complex systems.  
slides icon Slides WEBR04 [1.322 MB]  
DOI • reference for this paper ※ https://doi.org/10.18429/JACoW-ICALEPCS2021-WEBR04  
About • Received ※ 15 October 2021       Revised ※ 19 October 2021       Accepted ※ 21 November 2021       Issue date ※ 21 December 2021
Cite • reference for this paper using ※ BibTeX, ※ LaTeX, ※ Text/Word, ※ RIS, ※ EndNote (xml)  
 
WEBR05 Integrated Supervision for Conventional and Machine-Protection Configuration Parameters at ITER 602
 
  • D.A. Karkinsky, J. Jignesh, A. Marqueta, I. Prieto Diaz, W. Van Herck
    ITER Organization, St. Paul lez Durance, France
 
  Configuration parameters for ITER’s I&C systems are predominantly high-coupled due to the nature of the process under control. Subsequently, I&C re-configuration requires an integrated supervision approach that addresses coupling through abstraction, automation, scalability, changeability, robustness and re-usability. Moreover, high-coupling might manifest at any tier of the I&C, and certainly spans configuration parameters across both conventional and machine-protection I&C. Stemming from ITER design guidelines, the handling of machine-protection configuration parameters needs to meet the goals of IEC61508-3. These goals are mostly in congruence with the main concerns of integrated supervision identified above. However they also extend requirements that bind the supervision process with traceability and audit capabilities from sources to final self-test (run-time) diagnostics. This presentation describes the provisions for integrated supervision at ITER and elaborates how these provisions can be used to handle machine-protection parameters in compliance with IEC61508-3.  
slides icon Slides WEBR05 [0.510 MB]  
DOI • reference for this paper ※ https://doi.org/10.18429/JACoW-ICALEPCS2021-WEBR05  
About • Received ※ 07 October 2021       Revised ※ 18 October 2021       Accepted ※ 21 December 2021       Issue date ※ 27 December 2021
Cite • reference for this paper using ※ BibTeX, ※ LaTeX, ※ Text/Word, ※ RIS, ※ EndNote (xml)  
 
WEPV034 Equipment and Personal Protection Systems for the Sirius Beamlines 729
 
  • L.C. Arruda, G.T. Barreto, M.P. Calcanha, L.U. Camacho, H.F. Canova, F.H. Cardoso, J.V.B. Franca, G.L.M.P. Rodrigues
    LNLS, Campinas, Brazil
  • F.A. Bacchim Neto, F.N. Moura
    CNPEM, Campinas, SP, Brazil
 
  Funding: Work supported by the Brazilian Ministry of Science, Technology and Innovation
The beamlines and front ends at Sirius, the Brazilian 4th generation synchrotron light source, require monitoring and protection systems for personal and equipment safety in general, due to the high beam power dissipated along the beamline, vacuum safety, secure radiation levels, use of robots, special gases, cryogenic systems, and other highly sensitive and costly equipment throughout the facility. Two distinct programable logic controllers (PLC) were then deployed to create the Equipment Protection System (EPS) and the Personal Protection System (PPS). This work presents an overview of the EPS/PPS - requirements, architecture, design and deployment details, and commissioning results for the first set of beamlines.
 
poster icon Poster WEPV034 [1.082 MB]  
DOI • reference for this paper ※ https://doi.org/10.18429/JACoW-ICALEPCS2021-WEPV034  
About • Received ※ 09 October 2021       Revised ※ 19 October 2021       Accepted ※ 21 November 2021       Issue date ※ 19 December 2021
Cite • reference for this paper using ※ BibTeX, ※ LaTeX, ※ Text/Word, ※ RIS, ※ EndNote (xml)  
 
WEPV036 The LMJ Target Chamber Diagnostic Module 734
 
  • R. Clot
    CEA, LE BARP cedex, France
 
  The Laser MegaJoule (LMJ), the French 176-beam laser facility, is located at the CEA CESTA Laboratory near Bordeaux (France). It is designed to deliver about 1.4 MJ of energy on targets, for high energy density physics experiments, including fusion experiments. The first bundle of 8-beams was commissioned in October 2014. By the end of 2021, ten bundles of 8-beams are expected to be fully operational. Due to energy levels achieved, optical components located at the end of the bundles are highly subject to damage stresses. This is particularly the case with vacuum windows whose integrity is critical. To measure these damages, identify the growth laws, and prevent their degradation (through blockers), the Target Chamber Diagnostic Module (TCDM) was integrated into the LMJ installation in 2019. This diagnostic, which also measures the windows transmission rate, as well as the spatial energy distribution at the end of the bundles, has been designed to operate automatically at night, between two experiments. This presentation describes this 2 years feedback of TCDM and presents the areas for improvement which have been identified to optimize its efficiency and reduce its timeline.  
slides icon Slides WEPV036 [2.047 MB]  
DOI • reference for this paper ※ https://doi.org/10.18429/JACoW-ICALEPCS2021-WEPV036  
About • Received ※ 08 October 2021       Accepted ※ 05 January 2022       Issue date ※ 25 January 2022  
Cite • reference for this paper using ※ BibTeX, ※ LaTeX, ※ Text/Word, ※ RIS, ※ EndNote (xml)  
 
WEPV037 Development of a Voltage Interlock System for Normal-Conducting Magnets in the Neutrino Experimental Facility at J-PARC 738
 
  • K. Nakayoshi, Y. Fujii, K. Sakashita
    KEK, Tsukuba, Japan
 
  We are upgrading a beamline of neutrino experimental facility at J-PARC to realize its 1.3MW operation. One of the upgrade items is to strengthen machine protection interlocks at the beamline. So far, we have developed an interlock system that monitors the output current of the power supplies for normal-conducting(NC) magnets at the primary beamline. On the other hand, we observed an event that a coil-short in one of bending magnets at a beam transport line at J-PARC (3-50BT) happened in 2019 and it caused a drift of beam orbit over the time. Our present interlock system can not detect a similar coil-short in the magnet while such change of the beam orbit may cause a serious trouble. One of possible way to detect such coil-short is to monitor a voltage of the magnet coil. Actually, a significant voltage drop between layers of the coil was observed for the 3-50BT magnet coil-short. Focusing on the fact, we are developing a system that constantly monitors the voltage value of the magnets at primary beamline and issues an interlock when there is a fluctuation exceeding a threshold value. We report the progress of development of the system.  
poster icon Poster WEPV037 [7.195 MB]  
DOI • reference for this paper ※ https://doi.org/10.18429/JACoW-ICALEPCS2021-WEPV037  
About • Received ※ 27 October 2021       Revised ※ 11 November 2021       Accepted ※ 21 November 2021       Issue date ※ 12 January 2022
Cite • reference for this paper using ※ BibTeX, ※ LaTeX, ※ Text/Word, ※ RIS, ※ EndNote (xml)  
 
WEPV038 Performance Verification of New Machine Protection System Prototype for RIKEN RI Beam Factory 742
 
  • M. Komiyama, M. Fujimaki, N. Fukunishi, K. Kumagai, A. Uchiyama
    RIKEN Nishina Center, Wako, Japan
  • M. Hamanaka, T. Nakamura
    SHI Accelerator Service Ltd., Tokyo, Japan
 
  We report on performance verification of a prototype of a new machine protection system for the RIKEN Radioactive Isotope Beam Factory (RIBF). This prototype was developed to update a beam interlock system (BIS) in operation since 2006. The new system, like the BIS, is configured using a programmable logic controller (PLC). We applied the prototype to a small part of RIBF and started its operation in Sept., 2020. It consists of two separate PLC stations, and there are 28 digital inputs and 23 analog inputs as interlock signals, and 5 digital outputs are used to stop a beam in total. The observed response time averaged 2 ms and 5.7 ms, respectively, within one station and with both stations. When deploying the prototype in the same scale as the BIS, which consists of 5 PLC stations with roughly 400 signals, the response time is estimated to be over 10 ms, which means that it is too long to protect the equipment when the intensity of the beam accelerated at RIBF becomes higher. Therefore, we are starting to redesign a system by adding a field-programmable gate array (FPGA) to shorten the response time significantly rather than repeating minor improvements to save a few milliseconds.  
DOI • reference for this paper ※ https://doi.org/10.18429/JACoW-ICALEPCS2021-WEPV038  
About • Received ※ 10 October 2021       Accepted ※ 21 November 2021       Issue date ※ 24 January 2022  
Cite • reference for this paper using ※ BibTeX, ※ LaTeX, ※ Text/Word, ※ RIS, ※ EndNote (xml)  
 
WEPV039 Novel Personnel Safety System for HLS-II 746
 
  • Z.Y. Huang, C. Li, G. Liu, X.K. Sun, J.G. Wang, S. Xu, K. Xuan
    USTC/NSRL, Hefei, Anhui, People’s Republic of China
 
  Funding: Supported by the National Natural Science Foundation of China (No.113751861)
The Hefei Light Source-II (HLS-II) is a vacuum ultraviolet synchrotron light source. The Personnel Safety System (PSS) is the crucial part to protect staff and users from radiation damages. In order to share access control information and improve the reliability for HLS-II, the novel PSS is designed based on Siemens redundant PLC under EPICS environment which is composed by the safety interlock system, access control system and the radiation monitoring system. This paper will demonstrate the architecture and the specific design of this novel PSS and shows the operation performance after it has been implemented for 2 years.
 
poster icon Poster WEPV039 [3.318 MB]  
DOI • reference for this paper ※ https://doi.org/10.18429/JACoW-ICALEPCS2021-WEPV039  
About • Received ※ 30 September 2021       Revised ※ 22 October 2021       Accepted ※ 21 November 2021       Issue date ※ 02 January 2022
Cite • reference for this paper using ※ BibTeX, ※ LaTeX, ※ Text/Word, ※ RIS, ※ EndNote (xml)  
 
WEPV040 Design of Machine Protection System for SXFEL-UF 750
 
  • C.L. Yu, J.G. Ding, H. Zhao
    SSRF, Shanghai, People’s Republic of China
 
  Shanghai Soft X-ray Free-Electron Laser (SXFEL) facility is divided into two phases: the SXFEL test facility (SXFEL-TF) and the SXFEL user facility (SXFEL-UF). SXFEL-TF has met all the design specifications and has been available in beam operating state. SXFEL-UF is currently under commissioning and is planned to generate 3 nm FEL radiation using a 1.5 GeV electron LINAC. To protect the critical equipment rapidly and effectively from unexpected damage, a reliable safety interlocking system needs to be designed. Machine Protection System (MPS) is designed by Programmable Logic Controller (PLC) and Experimental Physics and Industrial Control System (EPICS) which is based on a master-slave architecture. In order to meet different commissioning and operation requirements, the management and switching functions of eight operation modes are introduced in the MPS system. There are two FEL line in user facility named SXFEL beamline project (BSP) and undulator (UD) , and the corresponding design of MPS is completed. This paper focuses on the progress and challenges associated with the SXFEL-UF MPS.  
poster icon Poster WEPV040 [0.883 MB]  
DOI • reference for this paper ※ https://doi.org/10.18429/JACoW-ICALEPCS2021-WEPV040  
About • Received ※ 10 October 2021       Revised ※ 20 October 2021       Accepted ※ 21 November 2021       Issue date ※ 07 December 2021
Cite • reference for this paper using ※ BibTeX, ※ LaTeX, ※ Text/Word, ※ RIS, ※ EndNote (xml)  
 
WEPV041 Implementation of a VHDL Application for Interfacing Anybus CompactCom 755
 
  • S. Gabourin, A. Nordt, S. Pavinato
    ESS, Lund, Sweden
 
  The European Spallation Source (ESS ERIC), based in Lund (Sweden), will be in a few years the most powerful neutron source in Europe with an average beam power of 5 MW. It will accelerate proton beam pulses to a Tungsten wheel to generate neutrons by the spallation effect. For such beam, the Machine Protection System (MPS) at ESS must be fast and reliable, and for this reason a Fast Beam Interlock System (FBIS) based on FPGAs is required. Some protection functions monitoring slow values (like temperature, mechanical movements, magnetic fields) need however less strict reaction times and are managed by PLCs. The communications protocol established between PLCs and FBIS is PROFINET fieldbus based. The Anybus CompactCom allows an host to have connectivity to industrial networks as PROFINET. In this context, FBIS represents the host and the application code to interface the AnyBus CompactCom has been fully developed in VHDL. This paper describes an open source implementation to interface a CompactCom M40 with an FPGA.  
poster icon Poster WEPV041 [0.967 MB]  
DOI • reference for this paper ※ https://doi.org/10.18429/JACoW-ICALEPCS2021-WEPV041  
About • Received ※ 09 October 2021       Revised ※ 22 October 2021       Accepted ※ 14 January 2022       Issue date ※ 01 March 2022
Cite • reference for this paper using ※ BibTeX, ※ LaTeX, ※ Text/Word, ※ RIS, ※ EndNote (xml)  
 
WEPV042 Applying Model Checking to Highly-Configurable Safety Critical Software: The SPS-PPS PLC Program 759
 
  • B. Fernández Adiego, E. Blanco Viñuela, F. Havart, T. Ladzinski, I.D. Lopez-Miguel, J-C. Tournier
    CERN, Geneva, Switzerland
 
  An important aspect of many particle accelerators is the constant evolution and frequent configuration changes that are needed to perform the experiments they are designed for. This often leads to the design of configurable software that can absorb these changes and perform the required control and protection actions. This design strategy minimizes the engineering and maintenance costs, but it makes the software verification activities more challenging since safety properties must be guaranteed for any of the possible configurations. Software model checking is a popular automated verification technique in many industries. This verification method explores all possible combinations of the system model to guarantee its compliance with certain properties or specification. This is a very appropriate technique for highly configurable software, since there is usually an enormous amount of combinations to be checked. This paper presents how PLCverif, a CERN model checking platform, has been applied to a highly configurable Programmable Logic Controller (PLC) program, the SPS Personnel Protection System (PPS). The benefits and challenges of this verification approach are also discussed.  
poster icon Poster WEPV042 [1.880 MB]  
DOI • reference for this paper ※ https://doi.org/10.18429/JACoW-ICALEPCS2021-WEPV042  
About • Received ※ 07 October 2021       Accepted ※ 21 November 2021       Issue date ※ 25 December 2021  
Cite • reference for this paper using ※ BibTeX, ※ LaTeX, ※ Text/Word, ※ RIS, ※ EndNote (xml)  
 
WEPV043
Generic Software for CERN’s LIU Beam Loss Monitoring Systems from LINAC4 to SPS Injection  
 
  • D. Medina
    CERN, Geneva 23, Switzerland
 
  The real-time software for the Beam Loss Monitoring Systems (BLM) configures, instruments, optimizes and protects the machine in the framework of CERN’s LHC Injectors Upgrade (LIU). Initially designed to fulfil the needs of the new LINAC4 linear accelerator, the software has evolved during CERN’s LS2 to cover the additional requirements of the Proton Synchrotron Booster (PSB) and Proton Synchrotron (PS) accelerators, as well as all the interconnecting transfer lines up to the Super Proton Synchrotron (SPS), and the PS East Experiment Area. This paper outlines how the software has been designed to cover all these needs, while maintaining a homogenous software core. It will highlight the challenges in achieving this goal, as well as detailing how the special cases in the PS and TT10 transfer line were specifically addressed.  
Cite • reference for this paper using ※ BibTeX, ※ LaTeX, ※ Text/Word, ※ RIS, ※ EndNote (xml)  
 
WEPV044 Beam Profile Measurements as Part of the Safe and Efficient Operation of the New SPS Beam Dump System 764
 
  • A. Topaloudis, E. Bravin, S. Burger, S. Jackson, F.M. Velotti, E. Veyrunes
    CERN, Meyrin, Switzerland
 
  In the framework of the LHC Injectors Upgrade (LIU) project, the Super Proton Synchrotron (SPS) accelerator at CERN is undergoing a profound upgrade including a new high-energy beam dump. The new Target Internal Dump Vertical Graphite (TIDVG#5) is designed to withstand an average dumped beam power as high as 235 kW to cope with the increased intensity and brightness of the LIU beams whose energies in the SPS range from 14 to 450 GeV. Considering such highly demanding specifications, the constant monitoring of the device’s status and the characteristics of the beams that are dumped to it is of utmost importance to guarantee an efficient operation with little or no limitations. While the former is ensured with several internal temperature sensors, a Beam Observation system based on a scintillating screen and a digital camera is installed to extract the profile of the beam dumped in TIDVG#5 for post mortem analysis. This paper describes the overall system that uses the BTV images to contribute to the safe and efficient operation of the SPS Beam Dump System (SBDS) and hence the accelerator.  
poster icon Poster WEPV044 [0.723 MB]  
DOI • reference for this paper ※ https://doi.org/10.18429/JACoW-ICALEPCS2021-WEPV044  
About • Received ※ 10 October 2021       Revised ※ 22 October 2021       Accepted ※ 22 December 2021       Issue date ※ 09 February 2022
Cite • reference for this paper using ※ BibTeX, ※ LaTeX, ※ Text/Word, ※ RIS, ※ EndNote (xml)