Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Ca
ble
Lo
op
of S
ite
Exte
rna
l E
nve
lop
e E
IS-A
cce
ss S
tatu
s
SIT
E x
Cable Loop EIS-beam of LHC Ring
EIS-beam of TI2
EIS-beam of TI8
PLC
EIS
Site
Ca
ble
Lo
op
SITE 1
Site
Ca
ble
Lo
op
SITE 2
Be
am
Ke
y
EIS
EIS
CERN/GS/ASE Access Project Team:C. Delamare, S. Di Luca, T. Hakulinen, L. Hammouti,
F. Havart, J-F Juget, T. Ladzinski, P. Ninin, R. Nunes,
T. Riesco, E. Sanchez-Corral Mena, F. Valentini
Access Safety SystemsNew Concepts from the LHC ExperienceThe LHC Access Safety System has introduced a number of new concepts into the domain of personnel protection at CERN. These can be grouped into
several categories: organisational, architectural and concerning the end-user experience. By anchoring the project on the solid foundations of the IEC
61508/61511 methodology, the CERN team and its contractors managed to design, develop, test and commission on time a SIL3 safety system. The
system uses a successful combination of the latest Siemens redundant safety programmable logic controllers with a traditional relay logic hardwired loop.
The external envelope barriers used in the LHC include personnel and material access devices, which are interlocked door-booths introducing increased
automation of individual access control, thus removing the strain from the operators. These devices ensure the inviolability of the controlled zones by users
not holding the required credentials. To this end they are equipped with personnel presence detectors and the access control includes a state of the art
biometry check. Building on the LHC experience, new projects targeting the refurbishment of the existing access safety infrastructure in the injector chain
have started. This paper summarises the new concepts introduced in the LHC access control and safety systems, discusses the return of experience and
outlines the main guiding principles for the renewal stage of the personnel protection systems in the LHC injector chain in a homogeneous manner.
The LHC Access System : Access Control and Access Safety Architecture Concepts
Co
ntr
ol &
Sa
fety
Se
pa
ratio
n
Tw
o C
ha
nn
el S
afe
ty S
yste
m
Private Installation Network (Optical Fibre)
Global Interlock PLC
Gateway
PLC
Operation & Maintenance Desk CERN External
Systems
Access Mode
SelectionAccess/Beam
Selection
Comm ande pour retirer un VETO +confirmation que le VETO est retiré
Position sûre de tous les EIS (non alimenté, fermé etc.)
Comm ande pour envoyer un VETO
+ confirm ation que le VETO est m is
M ODE Aucun VETO sur le groupe d’EIS correspondant
Position non sûre d’au m oins un EIS (alimenté, ouvert, etc.)
Clignotement signalant un incident ou anom alie sur les EIScorrespondants (ex intrusion)
O FF
O N
EIS-f circulant + TED bas de TI2/TI8+ ((SEPT )
EIS-m-RF
ONOFF
RF
EIS-aT
O N OFF
ACCES
TUNNEL
POINT 1
ATLAS
EIS-aT
O N OFF
ACCES
TUNNEL
EIS-aS
O N OFF
ACCES
SERVICE
EIS-aEx
O N OFF
ACCES
EXPERIENCE
EIS-aT
ON O FF
ACCES
TUNNEL
EIS-aS
O N OFF
ACCES
SERVICE
EIS-aT RF
O N OFF
ACCES RF
EIS-aT
O N O FF
ACCES
TUNNEL
AL ICE
EIS-aEx
O N OFF
ACCES
EXPERIENCE
POINT 2
EIS-aS
O N O FF
ACCES
SERVICE
EIS-aT
O N O FF
ACCES
TUNNEL
CM S
EIS-aEx
ON O FF
ACCES
EXPERIENCE
EIS-aS
O N OFF
ACCES
SERVICE
EIS-aT
ON O FF
ACCES
TUNNEL
EIS-aS
ON O FF
ACCES
SERVICE
EIS-aT
ON O FF
ACCES
TUNNEL
EIS-aT
O N O FF
ACCES
TUNNEL
LHC-B
EIS-aEx
O N OFF
ACCES
EXPERIENCE
EIS-aS
O N OFF
ACCES
SERVICE
LHC
OK OK
EIS-a
O N OFF
ACCES
BIWDelay
RAD.Delay
EIS-m -EL
O NO FF
Electron Sto.
TI8
EIS-f
OFF
FAISCEAU
ON
EIS-f
O NO FF
FAISCEAU
TI2
EIS-f
O NO FF
FAISCEAU
RF TEST
Y ES N O
LOCAL
ATL AS
YE S NO
DELEGATION
ALICE
YES N O
DELEGATION
CM S
Y ES N O
DELEGATION
LHC -B
Y ES N O
DELEGATION
POINT 3 POINT 4POINT 5 POINT 6 POINT 7 POINT 8
ATLAS
CERN Control Centre
Private Terminal Network
Technical
Infrastructure
Monitoring
Server 2Server 1
Operator
Console
PLC 8PLC 7PLC 6PLC 5PLC 4PLC 3PLC 2PLC 1 PLC 1.8
Siemens
Station
PatrolGeneral Closed
Mode selection
CANCEL VALIDATE
PM25
PM45
PM65
PM85
Point 1
Point 2
Point 3
Point 8
ULX15
Zone service Zone Tunnel Zone experimentale
Point 4
Point 5
Point 6
Point 7
USC55
PX24
UPX16
PZ45
UX85
Select ALL
PM56
UP23
PZ33
UJ47
UP55
UP63
UJ27
UX46
UL55
UJ67
UJ87
UJ23
UJ43
UPX56
UJ63
PM76
UJ83
PM15 PM18
P P
P
UJ14 UJ16
Restricted
LACS
NTP
CERN Control Centre Back-office
Future ?
Lo
ca
l
dis
pla
y
IRIS
reco
gn
itio
n
PA
D D
oo
rs
op
en
/clo
se
Acce
ss
Ke
ys
dis
trib
utio
n
dis
pla
y
pa
ne
ls
Vid
eo
ca
me
ra
Inte
rco
m &
Mic
rop
ho
ne
Technical Network
(TCP-IP)
Se
cto
r
Do
or
Technical Network
(TCP-IP)
FRONT-END
INTERCOM
Exchange
LG server
ZORADB
Cluster
(IT)
Technical Network
(TCP-IP)
ADAMSHR
DWS
FRONT-END
LASS
DATA
TIM
Technical
alarms
UCP UCP
Door buttons
MA
D
Do
ors
P1 P2
LEDs
Do
or
Lig
hts
Material
Access
Device
UTL
UTA
UTA
RS422
(x 8)
UTL
RS485
Sectors
UCP
UCP
UTD
Video
recorder
CoaxialCard
reader
Personal
Access
DeviceUTL
Operators’
Workstation
for CCC (X 2)
SERVER
(CMSS)
Panel
PC
ICAM
4000
Enrolment
desk
Bat 55
biometric
acquisition
Guards’
workstation
(CSA)
Bat 120
Engineering &
configuration
workstation
Bat 212
ICU
4000
Operators’
Workstation
for ECR (X 4)
Access supervision Access delegation Access
surveillance
biometric data People
Identification
data
access
authorization
data
Events, Logs
Delegation &
interfaces Data acquisition &
load charge ... Intercom,
commandApplicom
OPC OPC
Applicom
P2 P1
Use
r
Ide
ntifica
tio
n
The LHC Experience
Personnel Access Device (PAD)An EIS-access assuring the inviolability of the LHC external envelope and a barrier between the three
types of interlocked zones (Service, Tunnel and Experiment).
Next to each LHC PAD (40 in total), there is a Safety Token (also called “Restricted mode key”)
distributor.
User Identification with
verification of access rights
and the status of periodic
compulsory training and tests.
Biometry Iris Scan to
validate user identification.
A complex automatic
system based on
ground pressure
sensors, infrared
radar and photo-
electric cells
surveying the PAD
at each passage to
eliminate piggybacking
and tailgating.
Material Access Device (MAD)An EIS-access assuring the inviolability of the LHC
external envelope and a barrier between
the interlocked zones.
29 units installed in the LHC
Allows the introduction of
bulky material.
Human presence detection
system comprising:
- Infrared barriers;
- Two volumetric detectors
- Video motion detection
with a millimetre resolution.
Access Statistics – 5 days of Technical Stop (29.08 – 2.09.2011)
Impressive usage means
rush hour congestion
(mostly due to token delivery)...
… but also less time to perform
the even more needed
maintenance...
The New Concepts
… and less maintenance may lead to
lost patrols, which means
less beam time.
Work Acceptance ToolMajor congestion factor was the relatively long time it took for the operator
to verify if an entry request was in relation to a planned maintenance
activity. Hence, the introduction of the Work Acceptance Tool (WAT),
linking an intervention planning tool and the access control system. During
technical stops, the WAT automatically limits access to
planned maintenance interventions only.
In order to achieve the desired level of safety,
the safety systems at CERN are designed using
the IEC61508 family of standards as a
methodology framework. The IEC61508 uses a
probabilistic approach to quantify the risks and to
check that a system can cope with the
requirements defined for each safety function. To
this end it introduces the notion of Safety
Integrity Level (SIL), which is a measure of
safety. It permits to determine the target level of
risk reduction that a safety instrumented system
should provide. It is scaled from 1 to 4. The
higher the occurrences rate of a hazardous event
or the severity of its consequences, the higher
the SIL level and the implementation constraints.
In order to deal with the functional safety, a
project strategy has to take into consideration the
following aspects:
Functional
Safety
Methodology
· Preliminary Risk Analysis.
· Specification of the Safety Instrumented
Functions with their corresponding SIL
level, e.g. stopping the beam in case of
an intrusion has been evaluated as a
SIL3 function.
· Preliminary Safety Study based on the
first version of the functional analysis of
the architecture.
· Design and implementation of the system
based on V-shaped lifecycle model.
· Verification and Validation of the system.
· Organisation of operation and
maintenance.
· Definitive Safety Study of the “as built”
system, verifying that the SIL of each
safety instrumented function has been
achieved.
The unexpectedly high usage rate of the LHC Access System in the
restricted mode has led us to seek ways of improving the system to cope
with the high demand. The restricted mode is particularly complex as the
accesses are supervised by the control room operators, the users are
given safety tokens (keys) and the search patrols are preserved in normal
conditions. New concepts have been identified and new solutions
proposed. They currently start being implemented in the access safety
systems of the LHC and its injector chain.
The delivery of a safety token is integrated with the
LHC PAD entry cycle and thus a new token cannot be
delivered until the previous person has successfully
entered. In the PS, the two actions will be decoupled,
with the user first taking the token under the
supervision of the operator and then entering the PAD,
while the operator can already treat another request.
Separation of Token Distribution from PAD Cycle
LHC: in Production
PS: Specification
The goal of moving the external envelope to a second line of protection
(e.g. the ventilation doors behind the access devices) during beam
operation is to provide the maintenance teams the time to do preventive
interventions on all surface access points while the accelerator is in
beam operation.
Maintenance Doors
PS: Specification
LHC: Upgrade Spec
LHC: in Production
Any modification – a new functionality, addition of an EIS or a scope extension –
requires thorough testing of the safety code. To this end each system is
accompanied by a test platform. The LASS test platform provided a test-bed for 2
out of 9 LHC sites at a time. The drawbacks of this testing solution are the need for
hardware reconfiguration of the I/O modules when changing the simulated LHC
sites and a very basic simulator user interface. In the PS, composed of 19 different
machines, each with specific configuration, a more versatile test platform is needed
to be able to cope with testing of possible extensions. It will be based on Siemens
SIMBA module which allows emulation of any I/O configuration without costly
hardware reconfiguration and SIMIT software tool facilitating simulation scenarios.
New Simba/SIMIT Test Platform
PS: Proto 4Q 2011
Access Point Controller Rationalization
PS: Proto 4Q 2011
Removing the EIS-beam from an
Interlock ChainThe EIS-beam are surveyed by the LASS
permanently. Should they quit their safe state in
access mode, the LASS blocks access and, in
case of multiple failures, orders evacuation of the
LHC. EIS-beam can only undergo maintenance
during a complete shutdown of the accelerator
complex. This is regulated by a strict procedure.
In order to facilitate their disconnection from the
system using special “out-of-chain” keys,
additional safety functions have been introduced.
As long as all the EIS-beam are not connected,
the upstream chain interlock will not allow beam
operation.
In the LHC, most of the originally installed magnetic door sensors have
been recently replaced by more robust electromechanical contacts.
These are not affected by the magnetic fields, but need delicate
adjustments. For the PS, a thorough campaign of EMC measurements
has been done prior to choosing the access equipment locations.
EMC Improvements
PS: Studies OK
LHC: Modif Done
LHC: Upgrade
StudiesPAD Control and Safety Synchronisation
A safety action applied in the middle of an access cycle may in some cases result
in the LASS briefly registering both the inner and the outer PAD doors opened,
which results in a patrol drop. The separation of process control and safety does
not preclude synchronisation of the control tasks with the safety actions and the
currently designed PS access devices should have one PLC running the two tasks
in two processes, with safety having a higher priority, but the control being well
synchronised.
Less Controllers in the Access Devices
An LHC access point composed of one PAD and a MAD is equipped with a total of
5 industrial controllers and a PC. The PS personnel safety system architecture will
use only 2 controllers and one PC.
Anti-Fraud Detection as a Safety Function
The critical detection of a fraudulent passage in access devices - human presence
in a MAD and multiple persons in a PAD - is currently performed by local Industrial
controllers. This may lead to the unavailability of the devices in case of failure of
one of the controllers. To improve the dependability of these processes it was
decided to implement them as new safety instrumented functions of the PS safety
system. Moreover, the PS PAD model chosen is more rigid and provides less
internal volume making it virtually impossible to fraud.