Learning Center
Plans & pricing Sign in
Sign Out

PowerPoint Presentation - CERN - PowerPoint


									             Magnet Safety Systems – Magnet
             Common Project
             E. Sbrissa, G. Olesen – CERN/EP

2.4 Fail-safe operation
All connections around the MSS are “fail-safe” types, that is, if a
       connection is broken the system will by default initiate an
       action to bring the machine to a safe state. This principle is
       shown in figure 2. 4.1.
During operation of the magnet, but only at low currents, the cavern
       can be accessible and cable disconnections can therefore
       occur. These fall into two groups:
      1. Analogue sensors cable errors
      2. Digital signals cable errors
Any disconnections of cables in the safety chain produce a cable trace
       error, which will be registered by the MCS via the MSS
       monitoring system, see also figure 2.3.2. The logic of the MCS
       will then decide what action to take. The cable traces are also
       part of the start-up tests and initial current cannot be allowed in
       the magnet if all traces are not connected.
Disconnecting any of the analogue sensor cables will cause emission
       of an “Alarm” or initiation of a “Slow Dump”.
      From the analogue chassis and onwards signals in the safety
       chain are digital. A disconnection of a cable will here initiate an
       action associated with the highest level of safety contained in
       the cable, due to the “fail-safe” principle used. The resulting
       action is usually a “Fast Dump”, necessitating a subsequent
       reset of the whole MSS.

10th of April 2003         ATLAS “MSS Specification”
                    Magnet Safety Systems – Magnet
                    Common Project
                    E. Sbrissa, G. Olesen – CERN/EP

                                                         Analog level
                                                         Surveillance by over-range
                            Analog Module
                                                                                   Level fail-safe                  Level fail-safe      Cable fail-safe.
                                                                                   Opto normally ON                 Opto normally ON     If cable is
                                                                                                                                         dismounted, all
                                                                       Filtering/                                                        are active.
                                   protection/                                                             Time
     Sensor input                                                      Voltage
                                     Signal                                                           discrimination

     Cable trace                   Galvanic isolation:
                                        > 2 kV

                                              Cable                   Over-range


                                             Module                                                      Analog
                                              fault                                                      outputs

            LCS-Logic Chassis System

                     Hard-wired Logic Module.                                         Digital Input
                     Second section not shown.                                        Module                       Level fail-safe
                                                                                                                   Opto normally ON

                        Clock                         ALTERA

                                                 Level fail-safe
                                                 Opto normally ON
                      Monitoring                                                                      Digital              Monitoring/
                                                                                                      outputs              Cable trace

                                                                        Cable fail-safe.        MCS/                       Monitoring
                                                                        If cable is             Annunciator                system
                                                                        dismounted, fast
                            API/APC-Application Interface
                                                                        dump is initiated.
                            and Control

     Monitoring                            Monitoring/
     system                                Cable trace

                                                                                                                MCB, CP, CR,
                                                               Fail-safe                                        etc.
                                                               Relais normally

10th of April 2003                                 ATLAS “MSS Specification”
             Magnet Safety Systems – Magnet
             Common Project
             E. Sbrissa, G. Olesen – CERN/EP

2.4 Fail-safe operation
The exceptions to the fail-safe principle are the analogue levels, by
        definition, and the ALTERA integrated circuit used for the logic
Window detectors on the modules, which will signal an out-of-range to
        the MSS monitoring system, monitor the analogue levels. This
        detects the cases where an analogue circuit has an internal
        short-circuit and the level is close to the supply voltages.
Due to the internal structure of the ALTERA circuits it is not possible
        to certify that these are fail-safe. MSS will here rely on the
        quality and estimated life-time of these. The ALTERA
        corporation regularly up-dates their reliability reports for their
        circuits, and the latest, showing the data relevant to the
        ALTERA used in MSS, can be seen in appendix 2.4.1.
It is here stated, that the corporation is ISO 9001, MIL and JEDEC
        certified, and uses recognized methods for reliability testing.
The chip in question, EP20K200, has a combined FIT (Failure In Time)
        of 24 (page 13), meaning one estimated failure in 42 million
        device hours.

10th of April 2003         ATLAS “MSS Specification”

To top