The Detector Safety System
for LHC Experiments
Stefan Lüders ― CERN EP/SFT & IT/CO
CHEP03 ― UC San Diego ― March 27th, 2003
Outline


Experimental Safety
The DSS




Experimental Needs
Functional Requirements
Design and Architecture of the Prototype
Planning and Conclusions
March 27th, 2003
“The Detector Safety System for LHC Experiments” @ CHEP03
2/15
3 Levels of Experiment Safety
DSS
complements
DCS:
Sensors
The LHC
monitor
experiments
the state
andofCSS
their
theand
equipment:
sites,
e.g.
DSS isthe
embedded
in
Experiment’s
DCS.
Detector
Control
System
(DCS)
is
responsible
The safetyThe
forThe
In
personnel
2001,
is ensured
experiments
byan
the
have
CERN
realized,
Safety
that
System (CSS).
• (sub-)detectors,
Alarm
conditions
are
exchanged
with
the
(hardwired).
for
overall
and
control
ofCSS
the
detector.
some
safety
It
isDSS
required
aspects
by
are
not
and
covered
conforms
by
to
the
relevant
CSS
and DCS.
“The
is amonitoring
system
to systems,
safeguard
the
experiment.
•the
temperature
(equipment,
• law
gas
ambient
air,
water),
It it
might
take
corrective
action
maintain
normal
operation.when a
International,
European,
and
National
standards.
As such,
acts
to prevent
damage
to to
the
experimental
equipment
• magnets,
humidity,
Allhas
DCS
are
interconnected.
It
itssub-systems
own
The
DSS
was
and
born.
reacts globally,
serious fault situation
is
detected
(e.g.
temperature
too high, water leak,
• power
•sensors
water-flow,
distribution,
i.e. status…),
on whole
buildings
or caverns.
bad
sub-detector
inside
or
outside
of the
detector…”
•
racks
•
sniffers,
and
crates
Experiment
DCS
Back-End /
will be the
• status
equipment
signals of
to the
be acted
sub-detectors
upon directly
Supervisory Layer
by the control and safety systems.
DCS
DCS
There are dedicated
sensors for the different
safety
and
control
systems,
sub-system
A
CSS
DSS
DCS
sub-system B
Technical Services provide
butpower,
they are
water,
notgas
duplicated.
(general services)
and
sub-system
C distribute
monitor
them
to the different locations
(experiment services).
Level 2 (error)
Level 3
(fatal)
Level 1 (normal)
Front-End /
Hardware Layer
control
General services:
power, water
Sensors
March 27th, 2003
Experiment services:
power, water,Sensors
gas
Water Leak
Experiment:
Smoke,
sub-detectors, racks, crates
Sensors
“The Detector Safety System for LHC Experiments” @ CHEP03
Trip
Gas
Leak
3/15
Scope and Goal:
An Optimization Challenge
The DSS should…
 protect experimental equipment
 improve the experiment’s efficiency by…



preventing situations leading to level-3-alarms
(these might lead to 2-3 weeks downtime)
decreasing downtime due to failures
not cost too much

DSS can be considered as an “insurance policy”.
March 27th, 2003
“The Detector Safety System for LHC Experiments” @ CHEP03
4/15
Constraints for the DSS


The DSS is a common solution proposed for
all four LHC experiments (ALICE, ATLAS, CMS and LHCb)
Easy integration…




into the control system of the experiment
of sub-detector safety systems
of external information
(from the LHC machine, gas system, CSS, …)
Adaptability…


to the different needs of four experiments
to the evolving experiment environments
March 27th, 2003
“The Detector Safety System for LHC Experiments” @ CHEP03
5/15
LHC Experimental Needs
Surface buildings



200 to 800 analog and
digital inputs to be
monitored
several digital 100 outputs
sensors and actuators
located in the caverns
and in several buildings
on the surface
Geographically
distributed system
March 27th, 2003
Counting rooms
Detector
“The Detector Safety System for LHC Experiments” @ CHEP03
6/15
The DSS Functional Requirements
The DSS functional requirements have been evaluated by
the four LHC experiments in a joint working group.
The DSS must be a standalone system, and be…
 highly reliable
 highly available
 as simple and robust as possible
 re-configurable by the experiments’ safety experts
 self-checking for consistency
March 27th, 2003
“The Detector Safety System for LHC Experiments” @ CHEP03
7/15
The Prototyping Phase
A DSS prototype
 is currently being developed by the DSS Team
(2.5 FTE) to meet the defined requirements
 will be a “proof-of-concept”
The DSS Advisory Board, consisting of representatives
from all four LHC experiments, safety experts, and the
DSS Team are overseeing the prototyping phase.
A review in June 2003 will verify that the design meets
the requirements. This will allow for series production.
March 27th, 2003
“The Detector Safety System for LHC Experiments” @ CHEP03
8/15
DSS Front-End Architecture
After discussions in the DSS Advisory Board, the Front-End
will…
 be based on industrial solutions, e.g.






PLC technology for safety applications
standard communication protocols (PROFIBUS, Ethernet, OPC)
have its own sensors and actuators
check and filter the input sensors
be on safe power (CERN safe power plus own UPS)
will always react immediately and automatically on
fault conditions indicated by the sensors
March 27th, 2003
“The Detector Safety System for LHC Experiments” @ CHEP03
9/15
The PLC Cycle
The PLC Cycle:

The PLC continuously monitors the
sensors





e.g. temperatures, water flow,
sub-detector status
PLC cycle
T>Tthres
T>Tthres
T>Tthres
AND
Alarm
Input values are compared to
defined thresholds.
Several conditions can be logically
combined. Their fulfillment will
produce an alarm.
Alarms will trigger defined actions. Input: Sensors
Output: Action
Actions are taken on a coarse level (e.g.
(e.g. cutting off power)
cutting power to a complete sub-detector).
End-of-Cycle
March 27th, 2003
“The Detector Safety System for LHC Experiments” @ CHEP03
10/15
DSS Back-End Architecture
The DSS User Interface (Back-End) will…
 be based on the SCADA system “PVSS” and
CERN’s JCOP Framework
 monitor and configure the Front-End
 allow a configuration of the relations between sensor
values, alarms, and the actions performed in these cases
(the “Alarm/Action Matrix”)
 define user access levels
 provide the user with comprehensible displays
 log alarm states, warnings, and related information
March 27th, 2003
“The Detector Safety System for LHC Experiments” @ CHEP03
11/15
DSS Architecture
CERN LAN
DSS COM
Main crate:
redundant PS
CPU 414-4H
Ethernet adapter
(CP 443-1)
Profibus
External crate:
ET 200M
redundant PS
Profibus adapter
I/O interfaces
March 27th, 2003
Redundancy:
PVSS
Front-End
(continued):
OPC
Front-End:
•• External
up to thecrates
level of
I/O interfaces
based
on S7-300 modules
Server
a Siemens
stationCPU,
backup
in
a S7-400
power
supply,
•• uses
capable
ofcase
handling
the number
of
Profibus
failure
channels (inputs
and outputs)
as required
• programmed
through
the Siemens
STEP7
OPC
server:
development
environment
modules
haveto
high
MTBF
(low
failure rates).
End: close
PVSS
user
for
••Back
located
theinterface
sensors
(<200m)
• gateway
to between
the Back-End
(Windows
XP)
implementation
and processing
of the
optical
link
CPU modules
•• display
I/O
interfaces
hot-swappable
Alarm/Action
Matrix
•• data
distribution
via Siemens
OPC
software
step-by-step
comparison
inside
the
logging
•• monitors
inputs and
outputs
use
“positive
safety”
itself
processing
ofthe
theFront-End
PLC cyclescommunication
•• redundant
in
modification
of the
Alarm/Action Matrix
“The Detector Safety System for LHC Experiments” @ CHEP03
12/15
Status
Hardware development

The PLC hardware has been installed in the DSS
lab at CERN and is currently being
commissioned.

Survey of useful sensors (ambient air & cooling
water temperature, humidity, etc.) has started.
Software development

A first implementation of the Front-End software
has been made.

The DSS database prototype has been defined.
It is based on Oracle.

PVSS Back-End interface implementation is in
progress.
The prototype DSS system will be ready
for the review in June 2003.
March 27th, 2003
“The Detector Safety System for LHC Experiments” @ CHEP03
13/15
Planning Overview
Status
Target Date
Front-End software
Operational
April 2003
Integration, commissioning, and test of
the complete prototype
In progress
April 2003
Back-End software
In progress
May 2003
Task
June 2003
System Review
Final tests of the (revised) prototype
Summer 2003
Installation / commissioning for CMS
Summer 2003
First operational DSS for CMS
Installation / commissioning for LHCb
September 2003
Autumn/Fall 2003
First operational DSS for LHCb
November 2003
First operational DSS for ALICE
January 2004
First operational DSS for ATLAS
December 2004
March 27th, 2003
“The Detector Safety System for LHC Experiments” @ CHEP03
14/15
Conclusion

The design of the Detector Safety System, arrived at in
consultation with the DSS Advisory Board, will consist
of…
 a Front-End:



a Back-End:




Siemens S7-400 redundant PLC hardware
PC based OPC server acting as a gateway
A PC based system with the PVSS user interface,
using CERN’s JCOP Framework
Oracle Database connection for data and configuration
logging
The prototype will be ready for the review in June 2003
For more details see: http://cern.ch/proj-lhcdss/
March 27th, 2003
“The Detector Safety System for LHC Experiments” @ CHEP03
15/15