Embed Size (px)
Citation preview
www.lightsource.ca
CLS LINAC SAFETY SYSTEM UPGRADE
Hao Zhang, Elder Matias, Grant Cubbon, Carmen Britton, Robby Tanner, Carl Finlay
Canadian Light Source Inc., Saskatoon, Canada
International Conference on Accelerator and Large Experimental Physics Control Systems
Kobe, Japan
LINAC ACIS Display Panel
Horn
LINAC lockup zone layout
LINAC ACIS PLC CPU
ACIS PLC - CPU
Emergency off station
Lockup station
Fiber-Optic cable
Door limit switch
Implementation
Development
Integration
Testing
Requirements
Specification
Hazard Analysis
Design Unit
Testing
Development/
Installation
System
Validation
Testing
Safety System Development Process
PLCDigital Input
Module
24 VDC Rely Chain
LUS 1
LUS N
EOS 1
EOS L
.
.
.
.
.
.
.
.
.
PLCDigital Output Module
24 VDC
.
.
.
.
.
.
.
.
.
.
.
.
24 VDC
24 VDC
24 VDC 24 VDC
Permissives interlock Linac
Permissives interlock Linac
Door M
Door 1
.
.
.
AbstractThe Canadian Light Source (CLS) upgraded the safety system for LinearAccelerator (Linac) in October 2009. IEC 61508 SIL 3 certified componentsand methods were adopted in the development of the new system. Thispaper outlines major aspects of the upgrade
INTRODUCTIONIn the CLS, Access Control and Interlock Systems (ACIS) are used in restricted areas to protect personnel from radiation hazards. In theLinac area, a legacy ACIS was used since 1980’s until October 2009. The system was based on early Micro84 Programmable LogicController (PLC). Given the age of the system, difficulty in procurement of spares as the vendor had discontinued support for theplatform; a decision was made to upgrade. Another reason is the old AICS used 120 VAC whereas CLS has adopted 24 VDC for all othercontrol systems. The upgrade ensures the Linac ACIS is consistent with other systems in the facility. All the old sensors, wirings,components, and PLC units were removed. The new ACIS was redesigned and built from scratch.
The new ACIS adopts a two-level, redundant protection mechanism which consists of two independent chains, one governed by asafety-rated PLC system providing SIL-2 as defined by IEC 61508 [1], and a relay-based hardware logic to provide diversity for safetyfunctions.
The system controls access to an area divided into 6 lockup zones [2]. The zone layout was also changed in the upgrade. The zonescontain the electron gun, accelerator sections, switchyard, LINAC-to-Booster Transfer Line (LTB), the LTB/Booster Ring (BR1) interfaceand some adjacent areas including the BR1 RF cavities.
Fundamentally, all lockup zones operate in the same principle, each having its own Emergency Off Stations (EOS), Door InterlockSwitches (SWDI), Lockup Stations (LUS), zone lockup lights (ZLL) and horns (HRN).
Safety System Development Process
The process starts withthe hazard analysis,based on whichrequirements andspecifications aregenerated, and designand implementationnaturally followed fromthere. Testing wasperformed in all stages.Respectively, integrationand unit testing verifythe design meets therequirements and theinstallation is done asthe design.
Linac Lockup Zone Layout DrawingsLinac lockup zone layout drawings were generated to capture detailed requirement and designinformation. The drawings show zone configurations and lockup paths. All components were identifiesand numbered, which makes an IO count possible and perfect input document for wiring diagrams.
Two Chain Redundant Architecture For Safety-
Critical Functions
The ACIS provides fourmajor functions: secure,lockup, annunciation, andinterlocking. The PLC chainprovides all four functions;the relay chain providesredundant functions insafety critical aspects ofsecure and interlocking.
A lockup zone is securedonly when all the doors areclosed and none of theEOSs is pressed. The securefunction is implementedindependently in bothchains.
A zone is considered lockedup only when the lockupsequence, designed by theHSE for each individualzone, has been performedsuccessfully in thisparticular zone.lockup function isimplemented only in thePLC chain.
Limit switchesare used tomonitor doorposition. Eachdoor has twophysicallyindependentswitches forsignalling thetwo separatechains.
Limit switches are used to monitor door position. Each door has two physically independent switches for signalling the two separate chains.Limit switches are used to monitor door position. Each door has two physically independent switches for signalling the two separate chains.Limit switches are used to monitor door position. Each door has two physically independent switches for signalling the two separate chains.
Lockup stationsare installed inselected locationsto ensure thepath is followedand the process istimed. Each LUShas a lockupbutton forsignalling the PLCchain, and agreen LED toprovide visualindication to theinspectors.
An Emergency OffStation consists ofan emergency offbutton, a resetbutton, and threemechanically-interlocked andlatching contacts– two normallyclose contacts forsignalling the twochains and onenormally opencontact foractivating a localred LED when theEOS is pressed. Ifthe emergency offbutton is pressed,all contactsremain latchedand the red LEDremains on untilthe reset button ispressed.
Siemens AS414-4Hprocessor was selectedfor the CPU. With thefault-tolerant run-timelicense installed on theprocessor, the built-infail-safe run-time logic isactivated. Passwordprotection is alsoactivated to protect theprocessor from re-programming.
SIL-3 certified modules with internaldiagnostics and redundant circuitry areused for field I/O. These modules areinstalled in remote I/O stationscommunicating with the CPU overProfibus using the PROFISAFE protocol.Fibre-optic cable is used for data link.This configuration is based onaccepted practice for SIL-3 applicationsas per IEC 61508. The protocol isdeterministic and failsafe when usedwith failsafe hardware. The use ofdistributed I/O via fibre-optic cableprovides electrical decoupling of thesystem, thus avoiding problemsassociated with running signals overlong distances. Given potentialproblems with ground loops, EMInoise and signal degradation usingconventional means, this architectureis more reliable and safe.
Remote I/O station and Fail-Safe I/O modules
Flashlight
Signlight
Annunciation
Horns and lightsare used toprovide audibleand visualannunciations.
The programmingtoolset is SiemensSIMATIC Manager,using ContinuousFunction Chart(CFC) language.
Failsafe CodeSafety critical codes are developed using TÜV-certified function blocks from S7 Fail-Safe SystemsLibrary to ensure fail-safe feature. All failsafe codesare assigned to Organizational Block (OB) 35 bydefault and are executed cyclically every 100ms inruntime.
