Personnel Safety and Machine Protection
Paper Title Page
MOM308 XFEL Machine Protection System (MPS) Based on uTCA 1
  • S. Karstensen, M.E. Castro Carballo, J.M. Jäger, M. Staack
    DESY, Hamburg, Germany
  For the operation of a machine like the 3 km long linear accelerator XFEL at DESY Hamburg, a safety system keeping the beam from damaging components is obligatory. This machine protection system (MPS) must detect failures of the RF system, magnets, and other critical components in various sections of the XFEL as well as monitor beam and dark current losses, and react in an appropriate way by limiting average beam power, dumping parts of the macro-pulse, or, in the worst case, shutting down the whole accelerator. It has to consider the influence of various machine modes selected by the timing system. The MPS provides the operators with clear indications of error sources, and offers the possibility to mask any input channel to facilitate the operation of the machine. In addition, redundant installation of critical MPS components will help to avoid unnecessary downtime. This paper summarizes the requirements on the machine protection system and includes plans for its architecture and for needed hardware components. It will show up the clear way of configuring this system - not programming. Also a look into the financial aspects (manpower / maintenance / integration) will be presented.  
slides icon Slides MOM308 [1.487 MB]  
MOM309 Upgrade of the Beam Monitor System for Hadron Experimental Facility at J-PARC 1
  • Y. Morino, K. Agari, Y. Sato, A. Toyoda
    KEK, Tokai, Ibaraki, Japan
  Hadron experimental facility(HD hall) at Japan Proton Accelerator Research Complex (J-PARC) is designed to provide high intensity beam for particle and nuclear physics. Slow-extracted proton beam(2 second spill per 6 seconds) from main ring is injected to a production target at the HD hall. On May 2013, proton beam was instantaneously extracted to the HD hall in 5 milliseconds. The short pulse beam melted the production target. After the accident, the beam operation was stopped at the HD hall. For the recovery of the HD hall, we upgraded the beam line of the HD hall in many aspects to sustain the abnormal beam injection. The monitor system of the beam line was also upgraded to detect the abnormal beam injection. The rate monitor of second particles from the target was prepared to detect short pulse injection. The beam profile monitor was upgraded to measure at several times during one pulse to detect a sudden change of the beam profile. The beam loss monitor was upgraded to read out always to detect unexpected high intensity beam promptly. These signals were included in the interlock system. In this paper, the detail of the beam monitor system upgrade will be reported.  
slides icon Slides MOM309 [1.980 MB]  
MOPGF122 A Fast Interlock Detection System for High-Power Switch Protection 1
  • P. Van Trappen, E. Carlier, S. Uyttenhove
    CERN, Geneva, Switzerland
  Fast pulsed kicker magnet systems are powered by high-voltage and high-current pulse generators with adjustable pulse length and amplitude. To deliver this power, fast high-voltage switches such as thyratrons and GTOs are used to control the fast discharge of pre-stored energy. To protect the machine and the generator itself against internal failures of these switches several types of fast interlocks systems are used at TE-ABT (CERN Technology department, Accelerator Beam Transfer). To get rid of this heterogeneous situation, a modular digital Fast Interlock Detection System (FIDS) has been developed in order to replace the existing fast interlocks systems. In addition to the existing functionality, the FIDS system will offer new functionalities such as extended flexibility, improved modularity, increased surveillance and diagnostics, contemporary communication protocols and automated card parametrization. A Xilinx Zynq®-7000 SoC has been selected for implementation of the required functionalities so that the FPGA (Field Programmable Gate Array) can hold the fast detection and interlocking logic while the ARM® processors allow for a flexible integration in CERN's Front-End Software Architecture (FESA) framework, advanced diagnostics and automated self-parametrization.  
poster icon Poster MOPGF122 [0.861 MB]  
MOPGF123 Upgrades of Temperature Measurements and Interlock System for the Production Target at J-PARC Hadoron Experimental Facility 1
  • K. Agari, Y. Morino, Y. Sato, A. Toyoda
    KEK, Tsukuba, Japan
  Funding: This work was supported by Grant-in-Aid (No. 26800153) for Young Scientists (B) of the Japan Ministry of Education, Culture, Sports, Science and Technology [MEXT].
Hadron experimental facility is designed to handle intense slow-extraction proton beam from Main Ring (MR) of Japan Proton Accelerator Research Complex (J-PARC). On May 23, 2013, 2×1013 proton beams were instantaneously extracted to Hadron experimental facility in 5 milliseconds due to the malfunction of the power supply for Extraction Quadrapole magnet for a spill feedback at MR. Therefore the production target made of gold was locally damaged at Hadron experimental facility because of overheat by absorbing proton beam. After the accident we upgraded target temperature measurements with 100 milliseconds sampling and synchronization with beam spills in order to promptly detect damage to the production target as soon as possible. In addition, we also upgraded temperature trend graphs and an interlock system in order to figure out the state of the production target. Currently Hadron experimental facility ready to accept slow-extraction proton beam. The results of the temperature measurements and the interlock system for the production target during beam operation at J-PARC Hadron experimental facility, will be reported in this paper.
poster icon Poster MOPGF123 [0.497 MB]  
MOPGF125 The General Interlock System (GIS) for FAIR 1
  • F. Ameil, C. Betz
    GSI, Darmstadt, Germany
  • G. Cuk, I. Verstovšek
    Cosylab, Ljubljana, Slovenia
  The Interlock System for FAIR named General Interlock System (GIS) is part of the Machine Protection System which protects the accelerator from damage by misled beams. The GIS collects various Interlock sources hardware signals from up to 60 distributed remote I/O stations through PROFINET to a central PLC CPU. Thus a bit-field is build and sent to the interlock processor via a simple Ethernet point-to-point connection. Additional software Interlock sources can be picked up by the Interlock Processor via UDP/IP protocol. The Interlock System for FAIR project was divided into 2 development phases. Phase A contains the interlock signal gathering (HW and SW) and a status viewer. Phase B entails the fully functional interlock logic (support for dynamic configuration), interface with Timing System, interlock signal acknowledging, interlock signal masking, archiving and logging. The realization of the phase A will be presented in this paper.  
MOPGF126 A Modified Functional Safety Method for Predicting False Beam Trips and Blind Failures in the Design Phase of the ESS Beam Interlock System 1
  • R. Andersson, E. Bargalló, A. Monera Martinez, A. Nordt
    ESS, Lund, Sweden
  As accelerators are becoming increasingly powerful, the requirement of a reliable machine protection system is apparent to avoid beam-induced damage to the equipment. A missed detection of a hazard is undesirable as it could lead to equipment damage on very short time scales. In addition, the number of false beam trips, leading to unnecessary downtime, should be kept at a minimum to achieve user satisfaction. This paper describes a method for predicting and mitigating these faults, based on the architecture of the system. The method is greatly influenced by the IEC61508 standard for functional safety for the industry and implements a Failure Mode, Effects, and Diagnostics Analysis (FMEDA). It is suggested that this method is applied at an early stage in the design phase of a high-power accelerator, so that possible protection and mitigation can be suggested and implemented in the interlock system logic. The method described in this paper is currently applied at the European Spallation Source and the results follow from the analysis on the Beam Interlock System of this facility.  
History and Future of the Machine Protection System for the High Intensity Proton Accelerator (HIPA) at Paul Scherrer Institute (PSI)  
  • P. Bucher
    PSI, Villigen, Villigen, Switzerland
  Even after more than 40 years of continued operation, the control system for the HIPA is still being further improved and developed. This also applies to the Run Permit System (RPS) which is a part of the control system. The challenge we are faced is to upgrade the system in technology, structure and reliability while the system components need to remain compatible with each other. The previous generation of the RPS were CAMAC (EUR 4100 e) based crates and were holding the in-house developed hardware which connects the alarm signals to the system. PSI introduced VME (VITA 1.1-1997) as the new control system standard. Hence, new RPS Industry Packs for VME Carrier Boards had to be developed. During the VME upgrade, the structure of the RPS remained the same. The focus was put on increasing the reliability and flexibility of the system. Today, after the upgrade, the system is running stable. Continued efforts are necessary to lower costs and become more independent from products which are not further developed by the manufacturers. With a more compact design in mind, it will increase the I/O usage per slot, which will lead to reduced cabling, less hardware and ultimately fewer errors.  
poster icon Poster MOPGF127 [0.347 MB]  
MOPGF129 Understanding the Failure Characteristics of the Beam Permit System of RHIC at BNL 1
  • P. Chitnis, T.G. Robertazzi
    Stony Brook University, Stony Brook, New York, USA
  • K.A. Brown
    BNL, Upton, Long Island, New York, USA
  Funding: Work supported by Brookhaven Science Associates, LLC under Contract No. DE-SC0012704 with the U.S. Department of Energy.
The RHIC Beam Permit System (BPS) monitors the anomalies occurring in the collider and restores the machine to a safe state upon fault detection. The reliability of the BPS thus directly impacts RHIC availability. An analytical multistate reliability model of the BPS has been developed to understand the failure development and propagation over store length variation. BPS has a modular structure. The individual modules have joint survival distributions defined by competing risks with exponential lifetimes. Modules differ in functionality and input response. The overall complex behavior of the system is analyzed by first principles for different failure/success states of the system. The model structure changes according to the type of scenario. The analytical model yields the marginal survival distribution for each scenario versus different store lengths. Analysis of structural importance and interdependencies of modules is also examined. A former Monte Carlo model* is used for the verification of the analytical model for a certain store length. This work is next step towards building knowledge base for eRHIC design by understanding finer failure characteristics of the BPS.
*P. Chitnis et al., 'A Monte Carlo Simulation Approach to the Reliability Modeling of the Beam Permit System of Relativistic Heavy Ion Collider (RHIC) at BNL', Proc. ICALEPCS'13, San Francisco, CA.
poster icon Poster MOPGF129 [1.326 MB]  
MOPGF131 Interlock System for Machine Protection at ThomX Accelerator 1
  • N. ElKamchi, P. Gauron, H. Monard
    LAL, Orsay, France
  ThomX is a Compton based photons source. It aims to produce a compact and directional X-rays source, with high performance, high brightness and adjustable energy*. The principal application fields are medical sciences, social technology and industry. An interlock system has been implemented for machine protection, especially to protect sensitive and essential equipment (magnets, vacuum system, etc.) during machine operation. ThomX interlock system is based on Programmable Logic Controller (PLC-Siemens S7-1500), it collects default signals from the different equipment of the machine, up to the central PLC which kills the beam, by stopping the RF or the injection, in case of problem (bad vacuum, magnets overheating, etc.). The interlock system consists of two levels. The first one is a local process, whose role is to monitor the variations of different parameters of the machine equipment, and generates a default signal in case of operation problem. The second level is the central PLC, which gathers and process all the default signals from subsystems, and stops the RF power in a very short time. Actually, the interlock system is under test, it will allow accelerator to work safely.
*C. Bruni et al.,'ThomX - Conceptual Design Report', 2009, pp.1-136.
MOPGF132 Building an Interlock: Comparison of Technologies for Constructing Safety Interlocks 1
  • T. Hakulinen, F. Havart, P. Ninin, F. Valentini
    CERN, Geneva, Switzerland
  Interlocks are an important feature of both personnel and machine protection systems for mitigating risks inherent in operation of dangerous equipment. The purpose of an interlock is to secure specific equipment or entire systems under well defined conditions in order to prevent accidents from happening. Depending on specific requirements for the level of reliability, availability, speed, and cost of the interlock, various technologies are available. Different approaches are discussed, in particular in the context of personnel safety systems, which have been built or tested at CERN during the last few years. Technologies discussed include examples of programmable devices, PLCs and FPGAs, as well as wired logic based on relays and special logic cards.  
poster icon Poster MOPGF132 [1.249 MB]  
MOPGF134 Design of Fast Machine Protection System for the C-ADS Injection I 1
  • F. Liu, J. Hu, X.S. Jiang, Q. Ye
    IHEP, People's Republic of China
  • G.H. Gong
    Tsinghua University, Beijing, People's Republic of China
  In this paper a new fast machine protection system is proposed. This system is designed for the injection Ι of C-ADS which fault reaction time requires less than 20us, and the one minute down time requires less than 7 times in a whole year. The system consist of one highly reliable control network based on a control board and some front IO sub-boards, and one nanosecond precision timing system using white rabbit protocol. The control board and front IO sub-board are redundant separately. The structure of the communication network is a combination structure of star and tree types which using the 2.5GHz optical fiber links the all nodes. This paper pioneered the use of nanosecond timing system based on the white rabbit protocol to determine the time and sequence of each system failure. Another advantage of the design is that it uses standard FMC and an easy extension structure which made the design is easy to use in a large accelerator.  
poster icon Poster MOPGF134 [0.820 MB]  
MOPGF135 Upgrade of the Trigger Synchronisation and Distribution System of the Beam Dumping System of the Large Hadron Collider 1
  • N. Magnin, A. Antoine, E. Carlier, V. Chareyre, S. Gabourin, A. Patsouli, N. Voumard
    CERN, Geneva, Switzerland
  Various upgrades were performed on the Large Hadron Collider (LHC) Beam Dumping System (LBDS) during Long Shutdown 1 (LS1) at CERN, in particular to the Trigger Synchronisation and Distribution System (TSDS): A redundant direct connection from the LHC Beam Interlock System to the re-trigger lines of the LBDS was implemented, a fully redundant powering architecture was set up, and new Trigger Synchronisation Unit cards were deployed over two separate crates instead of one. These hardware changes implied the adaptation of the State Control and Surveillance System and an improvement of the monitoring and diagnosis systems, like the various Internal Post Operation Check (IPOC) systems that ensure that, after every beam dump event, the LBDS worked as expected and is 'as good as new' for the next LHC beam. This paper summarises the changes performed on the TSDS during LS1, highlights the upgrade of the IPOC systems and presents the problems encountered during the commissioning of TSDS before the LHC Run II.  
poster icon Poster MOPGF135 [0.948 MB]  
MOPGF136 ADaMS 3: An Enhanced Access Control System for CERN 1
  • P. Martel, Ch. Delamare, G. Godineau, R. Nunes
    CERN, Geneva, Switzerland
  ADaMS is CERN's Access Distribution and Management System. It evaluates access authorizations to more than 400 zones and for more than 35k persons. Although accesses are granted based on a combination of training courses followed, administrative authorizations and the radio-protection situation of an individual, the policies and technicalities are constantly evolving along with the laboratory's activities; the current version of ADaMS is based on a 7 year old design, and is starting to show its limits. A new version of ADaMS (3) will allow improved coordination with CERN's scheduling and planning tools (used heavily during technical shutdowns, for instance), will allow CERN's training catalog to change without impacting access management and will simplify and reduce the administrative workload of granting access. The new version will provide enhanced self-services to end users by focusing on access points (the physical barriers) instead of safety zones. ADaMS 3 will be able to cope better with changing and new requirements, as well as the multiplication of access points. The project requires the cooperation of a dozen services at CERN, and should take 18 months to develop.  
poster icon Poster MOPGF136 [1.258 MB]  
MOPGF137 Interlock of Beam Loss at Low Energy Part of J-PARC Linac 1
  • A. Miura, Y. Kawane, N. Kikuzawa, T. Maruta
    JAEA/J-PARC, Tokai-mura, Japan
  • T. Miyao
    KEK, Ibaraki, Japan
  J-Parc linac has developed the output beam power by increasing of acceleration energy and the peak beam current. The beam loss is getting serious along with increasing the output beam power, however, the beam loss caused at the low energy part is difficult to detect due to the low energy radioactive emission. An interlock system has been developed to prevent from the sufficient material activation using the beam current monitors. In the system, an electrical circuit to take the beam transmission between two beam current monitors is newly designed and fabricated. This paper describes the performance of the electrical circuit and the system configuration will be introduced.  
MOPGF138 Overview and Design Status of the Fast Beam Interlock System at ESS 1
  • A. Monera Martinez, R. Andersson, A. Nordt, M. Zaera-Sanz
    ESS, Lund, Sweden
  • C. Hilbes
    ZHAW, Winterthur, Switzerland
  The ESS, consisting of a pulsed proton linear accelerator, a rotating spallation target designed for an average beam power of up to 5 MW, and a suite of neutron instruments, requires a large variety of instrumentation, both for controlling as well as protecting the different hardware systems and the beam. The ESS beam power is unprecedented and an uncontrolled release could lead to serious damage of equipment installed along the tunnel and target station within only a few microseconds. Major failures of certain equipment will result in long repair times, because it is delicate and difficult to access and sometimes located in high radiation areas. To optimize the operational efficiency of the facility, accidents should be avoided and interruptions should be rare and limited to a short time. Hence, a sophisticated machine protection system is required. In order to stop efficiently the proton beam production in case of failures, a Fast Beam Interlock (FBI) system with a targeted reaction time of less than 5 microseconds and very high dependability is being designed. The design approach for this FPGA-based interlock system will be presented as well as the status on prototyping.  
poster icon Poster MOPGF138 [2.412 MB]  
MOPGF140 Integration of PLC's in Tango Control Systems Using PyPLC 1
  • S. Rubio-Manrique, M. Broseta, G. Cuní, D. Fernandez-Carreiras, A. Rubio, J. Villanueva
    ALBA-CELLS Synchrotron, Cerdanyola del Vallès, Spain
  The Equipment Protection Systems and Personnel Safety Systems of the ALBA Synchrotron are complex and highly distributed control systems based on PLC's from different vendors. EPS and PSS not only regulate the interlocks of the whole ALBA facility but provide an extense network of analog and digital sensors that collect information from all subsystems; as well as its logical states. TANGO is the Control System framework used at ALBA, providing several tools and services (GUI's, Archiving, Alarms) in which EPS and PSS systems must be integrated. PyPLC, a dynamic Tango device, have been developed in python to provide a flexible interface and enable PLC developers to automatically update it. This paper describes how protection systems and the PLC code generation cycle have been fully integrated within TANGO Control System at ALBA.  
poster icon Poster MOPGF140 [2.242 MB]  
MOPGF141 Upgrade of Abort Trigger System for SuperKEKB 1
  • S. Sasaki, A. Akiyama, M. Iwasaki, T. Naito, T.T. Nakamura
    KEK, Ibaraki, Japan
  The beam abort system was installed in KEKB in order to protect the accelerator equipment and the Belle detector, and for radiation safety, from high current beams. For SuperKEKB, the new abort trigger system was developed. It collects more than 130 beam abort request signals and issues the beam abort trigger signal to the abort kickers. The request signals are partially aggregated in local control rooms located along the SuperKEKB ring and finally aggregated in central control room. In order to increase the system reliability, the VME-based module and the O/E module was developed, and all the abort signals between the modules are transmitted as optical signals. The VME-based module aggregates input signals and input signals are OR and latched. The E/O module converts electrical signal from abort request source to optical signal. The system also has the timestamp function to keep track of the abort signal received time. The timestamps are expected to contribute to identify the cause of the beam abort. Based on feasibility tests with a prototype module, the new module design was improved and fixed. This paper describes the details of the new abort trigger system.  
poster icon Poster MOPGF141 [0.523 MB]  
MOPGF142 Development of a Network-based Personal Dosimetry System, KURAMA-micro 1
  • M. Tanigaki
    Kyoto University, Research Reactor Institute, Osaka, Japan
  • Y. Nakanishi
    Shikoku Research Institute Inc., Kagawa, Japan
  As the recovery from the nuclear accident in Fukushima progresses, strong demands arise on the continuous monitoring of individual radiation exposure based on action histories in a large group, such as the residents returning to their hometown after decontamination, or the workers involved in the decomissioning of the Fukushima Daiichi nuclear power plant. KURAMA-micro, a personal dosimetry system with network and positioning capability, is developed for such purpose. KURAMA-micro consists of a semiconductor dosimeter and a DAQ board based on OpenATOMS. Each unit records radiation data tagged with their measurement time and locations, and uploads the data to the server over a ZigBee-based network once each unit comes near one of the access points prepared expected activities range of users. Location data are basically obtained by a GPS unit, and an additional radio beacon scheme using ZigBee broadcast protocol is also used for the indoor positioning. The development of a proto-type KURAMA-micro is finished and a field test for the workers of a nuclear reactor under normal operation is planned in the spring of 2015.  
MOPGF143 Integration of Heterogeneous Access Control Functionalities Using the New Generation of NI cRIO 903x Controllers 1
  • F. Valentini, T. Hakulinen, L. Hammouti, P. Ninin
    CERN, Geneva, Switzerland
  Engineering of Personnel Protection Systems (PPS) in large research facilities, such CERN, represents nowadays a major challenge in terms of requirements for safety and access control functionalities. PPS are usually conceived as two separate independent entities: a Safety System dealing with machine interlocks and subject to rigid safe-ty standards (e.g. IEC-61508); and a conventional Access Control System made by integration of different COTS technologies. The latter provides a large palette of func-tionalities and tools intended either to assist users access-ing the controlled areas, either to automate a certain number of control room operator's tasks. In this paper we analyse the benefits in terms of performance, cost and system maintainability of adopting the new generation of NI multipurpose CRIO 903x controllers. These new de-vices allows an optimal integration of a large set of access control functionalities, namely: automatic control of mo-torized devices, identification/count of users in zone, im-plementation of dedicated anti-intrusion algorithms, graphical display of relevant information for local users, and remote control/monitoring for control room opera-tors.  
poster icon Poster MOPGF143 [1.562 MB]  
Design of the Personnel Radiation Safety Interlock System for High Intensity D-T Fusion Neutron Generator  
  • L.W. Wang, C. Liu, Y. Song, J.Y. Wang
    INEST, Hefei, People's Republic of China
  • W.T. Wang
    USTC, Hefei, Anhui, People's Republic of China
  Funding: Strategic Priority Research Program of Chinese Academy of Science Grant(No.XDA03040000)and ITER 973 Program(No.2014GB112001)
High intensity D-T fusion neutron generator (HINEG), which is designed to be operated in continuous and pulsed modes, provides a significant experimental platform for nuclear numerous researches. In this paper, the personnel radiation safety interlock system for HINEG operators is designed to prevent the radiation hazard and to assist in ensuring the safety of the HINEG operation. The safety interlock system monitors all the safety devices and controls licensed signals of each subsystem in accordance with safety interlock of HINEG constraints. Safety PLC is used as a central controller, which uses time redundancy and difference comparison rather than structure redundancy. A high-speed redundancy optical fiber ring network configured with 2 industrial switches is developed, which is able to accomplish network reconfiguration within a few milliseconds once a communication failure occurs. A friendly interactive operation interface has also been developed for operators to manage the devices intuitively. The interface runs on an Industrial Personal Computer (IPC) and communicates with Safety PLC through Process Field (PROFI) safe protocol.
poster icon Poster MOPGF144 [1.060 MB]  
MOPGF145 Commissioning and Design of the Machine Protection System for Fermilab's Fast Facility 1
  • L.R. Carmichael, D.J. Crawford, N. Liu, R. Neswold, A. Warner, J.Y. Wu
    Fermilab, Batavia, Illinois, USA
  The Fermilab Accelerator Science and Technology (FAST) Facility will provide an electron beam with up to 3000 bunches per macro-pulse, 5Hz repetition rate and 300 MeV beam energy. The completed machine will be capable of sustaining an average electron beam power of close to 15KW at the bunch charge of 3.2nC. A robust Machine Protection System (MPS) capable of interrupting the beam within a macro-pulse and that interfaces well with new and existing controls system infrastructure has been developed to mitigate and analyze faults related to this relatively high damage potential. This paper describes the component layers of the MPS system, including a FPGA-based Permit Generator and Laser Pulse Controller, the Beam Loss Monitoring system design as well as the controls and related work done to date.  
poster icon Poster MOPGF145 [1.844 MB]  
MOPGF146 Safety Interlock System for a Proton Linac Accelerator 1
  • Y. Zhao, Y.Y. Du, J. He, F. Liu, Q. Ye
    IHEP, Beijing, People's Republic of China
  The C-ADS Injector-I is an experimental proton machine in IHEP. An interlock system based on redundancy PLC was developed for machine protection and personnel safety. Device status, radiation dose, temperature of cavities and chambers are collected for machine state judge and interlock. A MPS (Machine Protection System) work together with the interlock system in the control loop, and protect the machine in four levels for different situation.  
TUC3I01 Machine Protection and Interlock System for Large Research Instruments 1
  • R. Schmidt
    CERN, Geneva, Switzerland
  Major research instruments such as accelerators and fusion reactors operate with large amount of power and energy stored in beams and superconducting magnets. Highly reliable Machine Protection systems are required to operate such instruments without damaging equipment in case of failure. The increased interest in protection is related to the increasing beam power of high-power proton accelerators such as ISIS, SNS, ESS and the PSI cyclotron, to the large energy stored in the beam (in particular for hadron colliders such as LHC) and to the stored energy in magnet systems such as for ITER and LHC. Machine Protection includes process and equipment monitoring, a system to safely stop operation (e.g. dumping the beam or extracting the energy stored in the magnets) and an interlock system for highly reliable communication between protection systems. Depending on the application, the reaction of the protection function to failures must be very fast (for beam protection systems down to some us). In this paper an overview of the challenges for protection is given, and examples of interlock systems and their use during operation are presented.  
slides icon Slides TUC3I01 [1.883 MB]  
TUC3O02 Design, Implementation and Setup of the Fast Protection System for CSNS 1
  • D.P. Jin, Y.L. Zhang, P. Zhu
    IHEP, Beijing, People's Republic of China
  Design, implementation and setup of a FPGA and RocketIO based FPS(Fast Protection System) for CSNS(China Spallation Neutron Source) is introduced. This system is a compact design with high speed serial transmission techniques. RocketIOs (or MGTs) and optical transceivers are used to transmit the interlock signals, with each link to carry 16 signals. Ground loop problems are avoided since the use of fibers. Dedicated firmware is developed for the auto-working of the serial links when both fibers are plugged in under power-on state. A real-time online heart-beat function is also implemented for each interlock signal to make sure the overall safety of the system. The whole system is under installation and will be put into use soon part by part according to the progress of the civil construction and equipment installation.  
slides icon Slides TUC3O02 [3.489 MB]  
TUC3O03 Development and Realisation of the ESS Machine Protection Concept 1
  • A. Nordt, R. Andersson, T. Korhonen, A. Monera Martinez, M. Zaera-Sanz
    ESS, Lund, Sweden
  • A. Apollonio, R. Schmidt
    CERN, Geneva, Switzerland
  • C. Hilbes
    ZHAW, Winterthur, Switzerland
  ESS is facing extremely high beam availability requirements and is largely relying on custom made, very specialised, and expensive equipment for its operation. The proton beam power with an average of 5MW per pulse will be unprecedented and its uncontrolled release can lead to serious damage of the delicate equipment, causing long shutdown periods, inducing high financial losses and, as a main point, interfering drastically with international scientific research programs relying on ESS operation. Implementing a fit-for-purpose machine protection concept is one of the key challenges in order to mitigate these risks. The development and realisation of the measures needed to implement such concept to the correct level in case of a complex facility like the ESS, requires a systematic approach, and will be discussed in this paper.  
slides icon Slides TUC3O03 [11.927 MB]  
TUC3O04 Reusable Patient Safety System Framework for the Proton Therapy Centre at PSI 1
  • P. Fernandez Carmona, M. Eichin, M. Grossmann, A. Mayor, H.A. Regele
    PSI, Villigen, Switzerland
  • E. Johansen
    PSI, Villigen, Villigen, Switzerland
  A new gantry for cancer treatment is being installed at the Proton Therapy Centre in the Paul Scherrer Institut (PSI), where already two gantries and a fixed line operate. A protection system is required to ensure the safety of patients, requiring stricter redundancy, verification and quality assurance (QA) measures than other accelerators. It supervises the Therapy System, sensors, monitors and operator interface and can actuate magnets and beam blockers. We built a reusable framework to increase the maintainability of the system using the commercial IFC1210 VME controller, developed for other PSI facilities. It features a FPGA implementing all the safety logic and two processors, one dedicated to debugging and the other to integrating in the facility's EPICS environment. The framework permitted us to reduce the design and test time by an estimated 40% thanks to a modular approach. It will also allow a future renovation of other areas with minimum effort. Additionally it provides built-in diagnostics such as time measurement statistics, interlock analysis and internal visibility. The automation of several tasks reduces the burden of QA in an environment with tight time constraints.  
slides icon Slides TUC3O04 [10.385 MB]  
  • K. Ha, W.X. Cheng, L.R. Dalesio, J.H. De Long, Y. Hu, P. Ilinski, J. Mead, D. Padrazo, S. Seletskiy, O. Singh, R.M. Smith, Y. Tian
    BNL, Upton, Long Island, New York, USA
  • G. Shen
    FRIB, East Lansing, Michigan, USA
  Funding: Work supported by DOE contract No: DE-AC02-98CD10886
At National Synchrotron Light Source-II (NSLS-II), a field-programmable gate array (FPGA) based global active interlock system (AIS) has been commissioned and used for beam operations. The main propose of AIS is to protect insertion devices (ID) and vacuum chambers from the thermal damage of high density synchrotron radiation power. This report describes the status of AIS hardware, software architectures and operation experience.
slides icon Slides TUC3O05 [21.147 MB]  
TUC3O06 Machine Protection System for the KOMAC 100-MeV Proton Linac 1
  • Y.G. Song, Y.-S. Cho, D.I. Kim, H.S. Kim, H.-J. Kwon, K.T. Seol, S.P. Yun
    KAERI, Daejon, Republic of Korea
  Funding: This work has been supported through KOMAC operation fund of KAERI by MSIP(Ministry of Science, ICT and Future Planning)
A Machine Protection System (MPS) is one of the important systems for the 100-MeV proton linear accelerator of the Korea Multi-purpose Accelerator Complex (KOMAC). The MPS is required to protect the very sensitive and essential equipment during machine operation. The purpose of the MPS is to shut off the beam when the Radio-Frequency (RF) and ion source are unstable or a beam loss monitor detects high activation. The MPS includes a variety of sources, such as beam loss, RF and high voltage converter modulator faults, fast closing valves for vacuum window leaks at the beam lines and so on. The MPS consists of a hard-wired protection for fast interlocks and a soft-wired protection for slow interlock. The hardware-based MPS has been fabricated, and the requirement has been satisfied with the results within 3 μs. The Experimental Physics and Industrial Control System (EPICS) control system has been also designed to monitor and control the MPS using a Programmable Logic Controller (PLC). This paper describes the design and implementation of the MPS for the 100-MeV proton linear accelerator of the Korea Multi-purpose Accelerator Complex (KOMAC).
slides icon Slides TUC3O06 [12.865 MB]  
TUC3O07 Safety Integrity Level (SIL) Verification for SLAC Radiation Safety Systems 1
  • F. Tao, E. Carrone, J.M. Murphy, K.T. Turner
    SLAC, Menlo Park, California, USA
  SIL is a key concept in functional safety standards: it is a performance measure on how reliable is a safety system performing a particular safety function. In the system design stage, SIL verification must be performed to prove that the SIL achieved meets/exceeds the SIL assigned during risk assessment, to comply with standards. Unlike industrial applications, where safety systems are usually composed of certified devices or devices with long usage history, safety systems in large physics laboratories are less standardized and more complex in terms of system architecture and devices used. In addition, custom designed electronics are often employed, with limited reliability information. Verifying SIL for these systems requires in-depth knowledge of reliability evaluation. In this paper, it is demonstrated how to determine SIL using SLAC radiation safety systems (Personnel Protection System (PPS) and Beam Containment System (BCS)) as examples. PPS utilizes commercial safety rated devices, while BCS also contains customized electronics. Choice of standards, methods of evaluation, reliability data gathering process (both from industry and from hardware development) are also discussed.  
slides icon Slides TUC3O07 [1.754 MB]