Slide 1

Report
MPSC Procedures
An update
Alick Macpherson
Rutgers University/ETH Zurich
MPSC Procedures: Observations

Purpose:
Procedures are required for systems that can by their malfunctioning cause
significant damage to LHC equipment

Procedures are required for 3 types of system:



Central system: This is the BIS.
Standard System: A system that interfaces only to the BIS
Complex System:



Examples




Central: BIS
Standard: PIC, WIC, FMCM
Complex: Vacuum, BLM, LBDS
Systems not (yet) included in the MPSC procedures

17-Jul-15
A system supplies inputs to systems in addition to the BIS.
A system that reacts to signal from the BIS (ie BEAM_INFO, SAFE_Machine parameters)
Electron stoppers (RF), Access, Movable objects + …
A. Macpherson: MPSCWG - Procedures
2
MPSC Procedures: Status
1st Draft
Edit Status
EDMS Ready
MTF Ready
?
-
-
No
BIS
Yes
Updated
Yes*
No
BLM
Not yet
-
-
No
Collimators
Not yet
-
-
No
FMCM
Yes
Minor edits
No
No
Injection System
No
-
-
No
LBDS
Yes
Edits needed
No
No
PIC
Yes
Minor edits
No
No
Vacuum system
Yes
Edits needed
No
No
WIC
Yes
Minor edits
No
No
System
Access
17-Jul-15
A. Macpherson: MPSCWG - Procedures
3
Timetable for Completion of Procedures
1.
All out-standing procedures submitted to Jan by 1st October*.
2.
Procedures returned to groups after review/cross check by Jan/Alick



3.
From 1st October, start EDMS checking procedures


4.
Tareget: 1 per week.
Start with BIS procedure
As EDMS approval finishes, transfer to MTF.

5.
Expect ~ 1 week per procedure for review and feedback and 2 weeks for
corrections.
Target: Review 1 procedure per week.
Review process started with BIS procedure
Allow 1 week for transfer to MTF
Look to have all procedures in MTF by mid December
* Collimator procedure linked to presentation at MPSCWG on 3rd Oct
17-Jul-15
A. Macpherson: MPSCWG - Procedures
4
Procedures: More Observations

Most procedures have had a first revision

Still awaiting some procedures

Question: is data/state logging considered part of MPS commissioning?

MPSC Commissioning should (where possible) be modular



Use hardware commissioning to set entry conditions for front end systems.
HWC Procedures + results (MTF) to be confirmed by MPSC procedure
Test the interface with the BIS => complementary to BIS Commissioning
 Set exit conditions that allow the system to proceed to validations during
cold machine cold checkout or validation with beam.

MPSC validation must insure that there is no possibility of machine
protection risks due to operator controls


=> procedures to confirm that operators can’t change critical settings?
Dependency on info from BIS and other systems must be made clear
17-Jul-15
A. Macpherson: MPSCWG - Procedures
5
Procedures: Flag concerns
BEAM_INFO Flag
 BEAM_INFO is a mirror of the BEAM_PERMIT that is returned to the
systems inputting to the BIC
 Questions:

Does the system initiate protective actions based on feedback from the BIS
 Does the system use the BEAM_INFO flag for critical actions

If BEAM_INFO= FALSE is used, what are the timescales of the actions?
 Can systems ensure that the initiation of any protective action is > 3 orbits
 Assumption: need a max of 3 orbits to trigger and dump beams
Safe Machine Parameters: Understand if/how they are used
 Questions:




17-Jul-15
Is toggling of USER_PERMIT conditional on the state of the SAFE BEAM flag
If this happens, is the logic integrated into the CIBU/BIC or the user system
Does any subsystem use SAFE_INJECTION flag as part of MPSC
Does any subsystem use Movable_devices_allowed flag as part of MPSC
A. Macpherson: MPSCWG - Procedures
6
Observations: Vacuum System
Vacuum system: good example of movable objects


Interlock Chain: includes sector valves, electron stoppers, Access Safety Block
 Need to confirm commissioning of redundant interlocking mechanisms
 ie vacuum + access, vacuum +RF?
 Need to commission joint system configuration
 RF commissioning mode: ie sector valves open, electron stoppers closed
 Need to confirm protection from equipment failure of movable devices
 Access Safety Block
Vacuum system provides signals directly to others: RF, MKI, MKB, Access

Concerns: are dump requests compatible with MPSC
 Initiation of RF dump requests on loss of good vacuum on P1 cavity.
RF Dump request mechanism depends on intensity threshold +
single/multiple cavity loss.
MKI: Vacuum signals used to assert injection inhibit. Can initiate valve closure.
MKB: Kicker interlock based on vacuum system can generate a dump request
Access system: Ensure that the control logic and configuration for the electron
stoppers and Access Safety Block are such that there is redundancy in the
interlocking





Uses BEAM_INFO =FALSE as a necessary condition for closing sector valves

17-Jul-15
In failure mode, what are the sufficient conditions (eg leak detection)
A. Macpherson: MPSCWG - Procedures
7
Observations: PICs and WICs

Entry Conditions:




PIC and WIC treats both beams simultaneously


Front end commissioned in HWC
Need to re-confirm procedures and MTF results from HWC
Focus on PIC–BIS and WIC–BIS validation
Dump request applies to both beams simultaneously
PIC specific features

PIC does not use USER_PERMIT_A and USER_PERMIT_B


Timescale Concern:


Need to confirm location of interlock truth table for Auxiliary circuit faults + SAFE_BEAM
WIC specific features

Timescale concern:

17-Jul-15
Is system reaction to fault detection (BEAM_INFO=FALSE) too fast for completion of
beam dump. Essential Circuit fault detection: ~ few s
SAFE BEAM Flag and Auxiliary circuits


Uses unmaskable and maskable USER_PERMIT instead
Is system reaction to fault detection (BEAM_INFO=FALSE) too fast for completion of
beam dump. Fault detection for Fast Boolean Processor of WIC: ~ 1 s
A. Macpherson: MPSCWG - Procedures
8
Observations: BIS

Procedure almost ready for checking via EDMS.

Validation of subsystem interface with BIS requires:

Valid USER_PERMITs (or reasonable USER PERMIT simulator?)
 Clear statement of subsystem functionality wrt BIS

BIS logic

Clarification that all logic for setting BEAM_PERMIT to FALSE is within
the BIS system



Timing issues:

17-Jul-15
Confirm there is no safe machine parameter dependence attached to the
USER_PERMIT.
USER_PERMIT as received by the BIS: Clarify difference between “A AND B
FALSE” and “A OR B FALSE” when setting the BEAM_PERMIT (during
commissioning)
Validation of worst case time from user system toggling the USER
PERMIT to completion of a beam dump= > confirm fastest reaction
timescale
A. Macpherson: MPSCWG - Procedures
9
Observations: FMCM

Entry conditions established by HWC

Commissioning in situ and with pilot beam


FMCM inputs only into the BIS


Beam time at 450 GeV and 7TeV beam is needed to set trigger
thresholds and trigger time-window
Inputs are maskable
Special commissioning mode

FMCM test mode: can set USER_PERMIT FALSE on request


Data logging essential


17-Jul-15
Need to confirm this mode cannot be invoked during running
used to set trigger threshold for USER_PERMIT
Included in MPSC procedure
A. Macpherson: MPSCWG - Procedures
10
Observations: LBDS

For MPSC, LBDS is a complex system:

Beam dump related Inputs




BEAM PERMIT loop trigger from BIS
Direct TCDQ BLM trigger (independent of BIS)
Direct Access system trigger (independent of BIS)
Interlock related Outputs

LBDS USER_PERMIT



Individual User system tests, Hardware Commissioning, and MPSC tests.


MPSC entry conditions must confirm previous test sets
Use MPSC tests to validate chain of control prior to the LBDS Reliability Run
detailed 1st draft but …needs more focus on MPSC for a non-ideal situation.

Address issues and modes of (partial) failure of component user systems




Implications of lost abort gap synchronisation from the RF
Partial loss of communication with injection system
Define acceptance criteria/functionality for tests so to permit clear validation.

17-Jul-15
Injection Inhibits sent to injection kickers and re-phased RF revolution frequency sent to
abort gap watchdog
Commissioning needs to be cleanly divided into


Can LBDS set its USER_PERMIT to FALSE with beam in the machine?
How does the procedure adapt when the criteria are not quite met.
Clarify implications of LBDS internal dump requests
A. Macpherson: MPSCWG - Procedures
11
Summary

Procedures

1st drafts of available procedures have been reviewed.



Submit revised procedures for EDMS approval then to MTF


Start process now and finish by mid December.
Global picture

Assess interdependencies between systems in relation to MPSC

Clarify if any automated actions are based on feedback from the BIS

If so, ensure timescales are compatible with integrated system response

Require procedures confirm no operations influence on critical settings

Address MPSC risks for partial failure modes, especially in complex
systems like the LBDS

Understand/review implications to protection given different states of
the safe machine parameters ( SAFE_BEAM, SAFE_INJECTION etc)

17-Jul-15
Will circulate back to subsystems for corrections and cross checks.
Need to get all out-standing 1st drafts
Ensure that any safe machine parameter dependent interlock logic is in BIS
A. Macpherson: MPSCWG - Procedures
12
Spare Stuff
17-Jul-15
A. Macpherson: MPSCWG - Procedures
13
17-Jul-15
A. Macpherson: MPSCWG - Procedures
14
Access Safety Block


17-Jul-15
Covered by both Access and Vacuum system interlocks
Time scale for closure is slow (~ 3sec) => much slower
than beam dump.
A. Macpherson: MPSCWG - Procedures
15

similar documents