RomLibEmu: Network Interface Stress Tests for the CERN Radiation Monitoring Electronics (CROME)
K. Ceesay-Seitz, H. Boukabache, M. Leveneur, D. Perrin
CERN, Geneva, Switzerland
The CERN RadiatiOn Monitoring Electronics are a modular safety system for radiation monitoring that is remotely configurable through a supervisory system via a custom protocol on top of a TCP/IP connection. The configuration parameters influence the safety decisions taken by the system. An independent test library has been developed in Python in order to test the system’s reaction to misconfigurations. It is further used to stress test the application’s network interface and the robustness of the software. The library is capable of creating packets with default values, autocompleting packets according to the protocol and it allows the construction of packets from raw data. Malformed packets can be intentionally crafted and the response of the application under test is checked for protocol conformance. New test cases can be added to the test case dictionary. Each time before a new version of the communication library is released, the Python test library is used for regression testing. The current test suite consists of 251 automated test cases. Many application bugs could be found and solved, which improved the reliability and availability of the system.
Towards the Optimization of the Safety Life-Cycle for Safety Instrumented Systems
B. Fernández Adiego, E. Blanco Viñuela, Th. Otto, R. Speroni, G. de Assis Schmidt
CERN, Geneva, Switzerland
The design and development of Safety Instrumented Systems (SIS) according to the IEC 61511 standard is a long and costly process. Although the standard gives recommendations and guidelines for each phase of the safety life-cycle, implementing them is not a simple task. Access to reliability data, hardware and systematic safety integrity analysis, software verification, generation of reports, guarantee of traceability between all the phases and management of the project are some of the main challenges. In addition, some of the industrial processes or test-benches of large scientific installations are in continuous evolution and changes are very common. This adds extra complexity to the management of these projects. This paper presents an analysis of the safety life-cycle workflow and discusses the biggest challenges based on our experience at CERN. It also establishes the basis for a selection of the tools for some of the safety life-cycle phases, proposes report templates and management procedures and, finally, describes the roles of the different members in our functional safety projects.
Y.L. Zhang, D.P. Jin, P. Zhu
IHEP, Beijing, People’s Republic of China
The fast protection system for CSNS accelerator is a FPGA based protection system. The VME bus and SFP was adopted by the FPS. The FPS includes one central station and several sub-stations, and connnections between the central and the sub-stations are in star style. Two kinds of beam stopping modes are designed and implemented by FPS, one is the transient beam stopping and auto recovery mode, the other is the permanent beam stopping mode. The measured response time for the FPS is less than 1.5 micro-seconds.
Safeguarding Large Particle Accelerator Research Facility- A Multilayer Distributed Control Architecture
SLAC, Menlo Park, California, USA
Personnel Protection System (PPS) at SLAC is a global safety system responsible for protecting personnel from radiation hazards. The system’s functional design shares similar concepts with machinery safeguarding, though the complexity of PPS is much higher due to its wide geographic distribution, large numbers of devices, and multiple sources of hazards. In this paper, we will first introduce the multilayer distributed control system architecture of SLAC’s PPS, which serves three beam programs, e.g., LCLS, LCLS-II and FACET-II, that exist in the same 4km linear accelerator infrastructure. Composed of 50+ sets of redundant safety PLCs and 20+ access control PLCs, SLAC’s PPS has five layers: beam program, beam switching and permit, zone access control, zone safety control and sensor/shutoff subsystems. With this architecture, safety functions often involve multiple controllers across several layers, make it a challenge on system analysis, design, and testing. Therefore, in this paper, we will also discuss SIL verification, and PPS’s functional safety related issues for this type of complex systems.
Integrated Supervision for Conventional and Machine-Protection Configuration Parameters at ITER
D.A. Karkinsky, J. Jignesh, A. Marqueta, I. Prieto Diaz, W. Van Herck
ITER Organization, St. Paul lez Durance, France
Configuration parameters for ITER’s I&C systems are predominantly high-coupled due to the nature of the process under control. Subsequently, I&C re-configuration requires an integrated supervision approach that addresses coupling through abstraction, automation, scalability, changeability, robustness and re-usability. Moreover, high-coupling might manifest at any tier of the I&C, and certainly spans configuration parameters across both conventional and machine-protection I&C. Stemming from ITER design guidelines, the handling of machine-protection configuration parameters needs to meet the goals of IEC61508-3. These goals are mostly in congruence with the main concerns of integrated supervision identified above. However they also extend requirements that bind the supervision process with traceability and audit capabilities from sources to final self-test (run-time) diagnostics. This presentation describes the provisions for integrated supervision at ITER and elaborates how these provisions can be used to handle machine-protection parameters in compliance with IEC61508-3.