450 likes | 1.6k Views
Interlocks. Request for feedback. Interlocks, the context. What is Safety: Safety of people (prevent injuries or worse) Safety (or protection) of equipment (protect capital investment) CERN Safety System Covers “Level3” alarms (Fire, Gas etc.) (designed for personnel safety)
E N D
Interlocks Request for feedback DCS Workshop
Interlocks, the context • What is Safety: • Safety of people (prevent injuries or worse) • Safety (or protection) of equipment (protect capital investment) • CERN Safety System • Covers “Level3” alarms (Fire, Gas etc.) (designed for personnel safety) • DCS ensures integrity of the experiment through: • Alarm reporting (for operator intervention) and automation • Detailed control on detector level and control of infrastructure and services (with high granularity) • Interlocks on detector level DCS Workshop
Interlocks, introduction • Its primary task is to protect equipment and the detector from serious damage • In order to be able discuss efficiently the subject, and to define requirements more precisely, we tried to define a common language; a common understanding of: what are interlocks • Different classes of interlocks can be defined • These are described in ‘interlocks document’ (and TDR)[and available on our web pages] Please comment! DCS Workshop
Interlock classes • Consider interlocks in its widest sense We distinguish four classes of interlocks: • “Hardwired”: • Internal interlocks • Cross-system interlocks • Actions • “Software”: • Actions Availability Complexity Low level High level DCS Workshop
“Hardwired” internal interlocks • Provide intrinsic protection of each type of equipment, lowest level of interlocks • Built into equipment or electronics • Examples: • Fuse • Switch-off of HV channel at over-current (‘Trip’) • Hardwired protection on the Front End Electronics • E.g. ‘programmed’ in a FPGA • E.g. switch-off a voltage regulator at over-current DCS Workshop
“Hardwired” internal interlocks Interaction with DCS • Some of these interlocks might have no interaction at all with the DCS • But the result of an interlock being activated will be seen • Some of these interlocks might be read • The DCS will be informed if an interlock is activated or not • Some of these interlocks might need to be configured (setting a limit, such as maximum current: ‘trip limit’) DCS Workshop
“Hardwired” internal interlocks • Provide an inventory of this class of interlocks for your sub-detector: • Especially if an interaction with DCS is required (read status, set limits) • Especially if this concerns non-standard devices DCS Workshop
“Hardwired” cross-system interlocks • This is what people usually understand as interlock • Consist of a hardwired connection between two sub-systems • Usually a contact that is kept closed by the source • an action is to be triggered when contact is opened • Typical example is to interlock HV if gas mixture is wrong (risk of sparks) or interlock LV if cooling is failing (risk of damaging electronics) Gas orCooling PowerSupply DCS Workshop
“Hardwired” cross-system interlocks Some more terminology: • “Positive safety”: • A signal has to be present to indicate normal situation(e.g. cutting a cable would activate the interlock) Interlockreceiver Interlocksource 48V Gas orCooling PowerSupply DCS Workshop
“Hardwired” cross-system interlocks Interlock source • Only few are “real” hardwired= activated directly by a dedicated sensor • Example: thermo-switch • Most are generated by a PLC or similar system • Example: relay in gas or cooling control system • Some intelligence involved • User can define conditions to activate interlock • Example: Temperature too high, gas mixture wrong • Other sources could be: magnet control system, LHC accelerator, radiation detectors, neighbour sub-detector etc. DCS Workshop
“Hardwired” cross-system interlocks Interlock receiver • Usually (HV and LV) power supplies • Action is an “emergency off” of the power supply (usually a crude action) • Commercial power supplies have an input for an interlock signal • Custom built equipment will have to implement such an input, if needed DCS Workshop
“Hardwired” cross-system interlocks Interlock receiver • Most likely a provision should be made to distribute a single interlock signal to a set of power supplies (e.g. daisy chain, distribution box) • It could be needed to have a possibility to “OR” several interlock signals • Example: an interlock from the cooling and from the gas should cut the same power supply • Electromechanical or more intelligent (e.g. using PLC-like devices) solutions exist DCS Workshop
“Hardwired” cross-system interlocks • Provide an inventory of these interlocks and define: • On what conditions does the source have to activate the interlock? • What are the receivers for each of these interlocks? • Are these conditions ‘fixed’ or likely to change often? • Does the receiving end have an input for an interlock? • Does one interlock cut more than one device? • Does more than one interlock cut the same device? • Can we standardise on a closed contact for these interlocks?(thus, opening the chain will trigger the interlock) DCS Workshop
“Hardwired” actions • Can be seen as a “gentle interlock” • A hardwired signal will trigger a predefined action • E.g. a ‘fast’ ramp down of the HV • Signal can be generated by the same source as mentioned before or even a simple push-button • However, this functionality does note come for free! • Is normally not foreseen in equipment, need a specific implementation • Provide your requirements for such actions DCS Workshop
“Software” actions • Normal level of protection • Programmed in the DCS (e.g. in Finite State Machine), can have any level of complexity • Available only if the relevant part of DCS is operational • Examples: • Make sure systems can only be switched on if other systems are OK (and switch systems off if problem in other systems) • Make sure systems are switched on or off in a given order • Provide your requirements for such actions DCS Workshop
Your input is requested • Identify and assess the potential hazards in your detector • Decide what kind of interlock is most suitable • Is a software action sufficient, or is a hardwired interlock required • First: remember that the DCS is designed to be more robust than your desktop computer on the campus network • Protected, isolated network; computers and network on UPS etc. • then: ask yourself what happens if the software action is not performed DCS Workshop
Your input is requested • Make an inventory of all interlocks • Describe the “software actions” you need • Goes with the operational requirements in your URD • Do you need “hardware actions”? • For hardware interlocks: • What is the source? • What are the conditions to activate the interlock? • Can the ‘receiving end’ receive interlocks, and what signal does it expect (opening a contact, change in voltage level) DCS Workshop
Food for thought • What happens to your equipment and detector in case of power cut • Might happen more often than activation of an interlock • What happens in case of a partial power cut • E.g. no power in counting room, but still power in cavern • Are you sensitive to external systems or influences • E.g. neighbouring sub-detector, magnet, LHC, earthquake DCS Workshop
Conclusions • Many of the questions were raised a year ago • Now it’s really time to answer them to allow for a common approach • Defined different classes of interlocks • Let us know your remarks • We need your input, your requirements concerning interlocks • Both the ‘hardwired’ and ‘software’ ones • Check if your equipment can accept interlocks • Think about the open issues pointed out before DCS Workshop