Ca

ble

Lo

op

of S

ite

Exte

rna

l E

nve

lop

e E

IS-A

cce

ss S

tatu

s

SIT

E x

Cable Loop EIS-beam of LHC Ring

EIS-beam of TI2

EIS-beam of TI8

PLC

EIS

Site

Ca

ble

Lo

op

SITE 1

Site

Ca

ble

Lo

op

SITE 2

Be

am

Ke

y

EIS

EIS

CERN/GS/ASE Access Project Team:C. Delamare, S. Di Luca, T. Hakulinen, L. Hammouti,

F. Havart, J-F Juget, T. Ladzinski, P. Ninin, R. Nunes,

T. Riesco, E. Sanchez-Corral Mena, F. Valentini

Access Safety SystemsNew Concepts from the LHC ExperienceThe LHC Access Safety System has introduced a number of new concepts into the domain of personnel protection at CERN. These can be grouped into

several categories: organisational, architectural and concerning the end-user experience. By anchoring the project on the solid foundations of the IEC

61508/61511 methodology, the CERN team and its contractors managed to design, develop, test and commission on time a SIL3 safety system. The

system uses a successful combination of the latest Siemens redundant safety programmable logic controllers with a traditional relay logic hardwired loop.

The external envelope barriers used in the LHC include personnel and material access devices, which are interlocked door-booths introducing increased

automation of individual access control, thus removing the strain from the operators. These devices ensure the inviolability of the controlled zones by users

not holding the required credentials. To this end they are equipped with personnel presence detectors and the access control includes a state of the art

biometry check. Building on the LHC experience, new projects targeting the refurbishment of the existing access safety infrastructure in the injector chain

have started. This paper summarises the new concepts introduced in the LHC access control and safety systems, discusses the return of experience and

outlines the main guiding principles for the renewal stage of the personnel protection systems in the LHC injector chain in a homogeneous manner.

The LHC Access System : Access Control and Access Safety Architecture Concepts

Co

ntr

ol &

Sa

fety

Se

pa

ratio

n

Tw

o C

ha

nn

el S

afe

ty S

yste

m

Private Installation Network (Optical Fibre)

Global Interlock PLC

Gateway

PLC

Operation & Maintenance Desk CERN External

Systems

Access Mode

SelectionAccess/Beam

Selection

Comm ande pour retirer un VETO +confirmation que le VETO est retiré

Position sûre de tous les EIS (non alimenté, fermé etc.)

Comm ande pour envoyer un VETO

+ confirm ation que le VETO est m is

M ODE Aucun VETO sur le groupe d’EIS correspondant

Position non sûre d’au m oins un EIS (alimenté, ouvert, etc.)

Clignotement signalant un incident ou anom alie sur les EIScorrespondants (ex intrusion)

O FF

O N

EIS-f circulant + TED bas de TI2/TI8+ ((SEPT )

EIS-m-RF

ONOFF

RF

EIS-aT

O N OFF

ACCES

TUNNEL

POINT 1

ATLAS

EIS-aT

O N OFF

ACCES

TUNNEL

EIS-aS

O N OFF

ACCES

SERVICE

EIS-aEx

O N OFF

ACCES

EXPERIENCE

EIS-aT

ON O FF

ACCES

TUNNEL

EIS-aS

O N OFF

ACCES

SERVICE

EIS-aT RF

O N OFF

ACCES RF

EIS-aT

O N O FF

ACCES

TUNNEL

AL ICE

EIS-aEx

O N OFF

ACCES

EXPERIENCE

POINT 2

EIS-aS

O N O FF

ACCES

SERVICE

EIS-aT

O N O FF

ACCES

TUNNEL

CM S

EIS-aEx

ON O FF

ACCES

EXPERIENCE

EIS-aS

O N OFF

ACCES

SERVICE

EIS-aT

ON O FF

ACCES

TUNNEL

EIS-aS

ON O FF

ACCES

SERVICE

EIS-aT

ON O FF

ACCES

TUNNEL

EIS-aT

O N O FF

ACCES

TUNNEL

LHC-B

EIS-aEx

O N OFF

ACCES

EXPERIENCE

EIS-aS

O N OFF

ACCES

SERVICE

LHC

OK OK

EIS-a

O N OFF

ACCES

BIWDelay

RAD.Delay

EIS-m -EL

O NO FF

Electron Sto.

TI8

EIS-f

OFF

FAISCEAU

ON

EIS-f

O NO FF

FAISCEAU

TI2

EIS-f

O NO FF

FAISCEAU

RF TEST

Y ES N O

LOCAL

ATL AS

YE S NO

DELEGATION

ALICE

YES N O

DELEGATION

CM S

Y ES N O

DELEGATION

LHC -B

Y ES N O

DELEGATION

POINT 3 POINT 4POINT 5 POINT 6 POINT 7 POINT 8

ATLAS

CERN Control Centre

Private Terminal Network

Technical

Infrastructure

Monitoring

Server 2Server 1

Operator

Console

PLC 8PLC 7PLC 6PLC 5PLC 4PLC 3PLC 2PLC 1 PLC 1.8

Siemens

Station

PatrolGeneral Closed

Mode selection

CANCEL VALIDATE

PM25

PM45

PM65

PM85

Point 1

Point 2

Point 3

Point 8

ULX15

Zone service Zone Tunnel Zone experimentale

Point 4

Point 5

Point 6

Point 7

USC55

PX24

UPX16

PZ45

UX85

Select ALL

PM56

UP23

PZ33

UJ47

UP55

UP63

UJ27

UX46

UL55

UJ67

UJ87

UJ23

UJ43

UPX56

UJ63

PM76

UJ83

PM15 PM18

P P

P

UJ14 UJ16

Restricted

LACS

NTP

CERN Control Centre Back-office

Future ?

Lo

ca

l

dis

pla

y

IRIS

reco

gn

itio

n

PA

D D

oo

rs

op

en

/clo

se

Acce

ss

Ke

ys

dis

trib

utio

n

dis

pla

y

pa

ne

ls

Vid

eo

ca

me

ra

Inte

rco

m &

Mic

rop

ho

ne

Technical Network

(TCP-IP)

Se

cto

r

Do

or

Technical Network

(TCP-IP)

FRONT-END

INTERCOM

Exchange

LG server

ZORADB

Cluster

(IT)

Technical Network

(TCP-IP)

ADAMSHR

DWS

FRONT-END

LASS

DATA

TIM

Technical

alarms

UCP UCP

Door buttons

MA

D

Do

ors

P1 P2

LEDs

Do

or

Lig

hts

Material

Access

Device

UTL

UTA

UTA

RS422

(x 8)

UTL

RS485

Sectors

UCP

UCP

UTD

Video

recorder

CoaxialCard

reader

Personal

Access

DeviceUTL

Operators’

Workstation

for CCC (X 2)

SERVER

(CMSS)

Panel

PC

ICAM

4000

Enrolment

desk

Bat 55

biometric

acquisition

Guards’

workstation

(CSA)

Bat 120

Engineering &

configuration

workstation

Bat 212

ICU

4000

Operators’

Workstation

for ECR (X 4)

Access supervision Access delegation Access

surveillance

biometric data People

Identification

data

access

authorization

data

Events, Logs

Delegation &

interfaces Data acquisition &

load charge ... Intercom,

commandApplicom

OPC OPC

Applicom

P2 P1

Use

r

Ide

ntifica

tio

n

The LHC Experience

Personnel Access Device (PAD)An EIS-access assuring the inviolability of the LHC external envelope and a barrier between the three

types of interlocked zones (Service, Tunnel and Experiment).

Next to each LHC PAD (40 in total), there is a Safety Token (also called “Restricted mode key”)

distributor.

User Identification with

verification of access rights

and the status of periodic

compulsory training and tests.

Biometry Iris Scan to

validate user identification.

A complex automatic

system based on

ground pressure

sensors, infrared

radar and photo-

electric cells

surveying the PAD

at each passage to

eliminate piggybacking

and tailgating.

Material Access Device (MAD)An EIS-access assuring the inviolability of the LHC

external envelope and a barrier between

the interlocked zones.

29 units installed in the LHC

Allows the introduction of

bulky material.

Human presence detection

system comprising:

- Infrared barriers;

- Two volumetric detectors

- Video motion detection

with a millimetre resolution.

Access Statistics – 5 days of Technical Stop (29.08 – 2.09.2011)

Impressive usage means

rush hour congestion

(mostly due to token delivery)...

… but also less time to perform

the even more needed

maintenance...

The New Concepts

… and less maintenance may lead to

lost patrols, which means

less beam time.

Work Acceptance ToolMajor congestion factor was the relatively long time it took for the operator

to verify if an entry request was in relation to a planned maintenance

activity. Hence, the introduction of the Work Acceptance Tool (WAT),

linking an intervention planning tool and the access control system. During

technical stops, the WAT automatically limits access to

planned maintenance interventions only.

In order to achieve the desired level of safety,

the safety systems at CERN are designed using

the IEC61508 family of standards as a

methodology framework. The IEC61508 uses a

probabilistic approach to quantify the risks and to

check that a system can cope with the

requirements defined for each safety function. To

this end it introduces the notion of Safety

Integrity Level (SIL), which is a measure of

safety. It permits to determine the target level of

risk reduction that a safety instrumented system

should provide. It is scaled from 1 to 4. The

higher the occurrences rate of a hazardous event

or the severity of its consequences, the higher

the SIL level and the implementation constraints.

In order to deal with the functional safety, a

project strategy has to take into consideration the

following aspects:

Functional

Safety

Methodology

· Preliminary Risk Analysis.

· Specification of the Safety Instrumented

Functions with their corresponding SIL

level, e.g. stopping the beam in case of

an intrusion has been evaluated as a

SIL3 function.

· Preliminary Safety Study based on the

first version of the functional analysis of

the architecture.

· Design and implementation of the system

based on V-shaped lifecycle model.

· Verification and Validation of the system.

· Organisation of operation and

maintenance.

· Definitive Safety Study of the “as built”

system, verifying that the SIL of each

safety instrumented function has been

achieved.

The unexpectedly high usage rate of the LHC Access System in the

restricted mode has led us to seek ways of improving the system to cope

with the high demand. The restricted mode is particularly complex as the

accesses are supervised by the control room operators, the users are

given safety tokens (keys) and the search patrols are preserved in normal

conditions. New concepts have been identified and new solutions

proposed. They currently start being implemented in the access safety

systems of the LHC and its injector chain.

The delivery of a safety token is integrated with the

LHC PAD entry cycle and thus a new token cannot be

delivered until the previous person has successfully

entered. In the PS, the two actions will be decoupled,

with the user first taking the token under the

supervision of the operator and then entering the PAD,

while the operator can already treat another request.

Separation of Token Distribution from PAD Cycle

LHC: in Production

PS: Specification

The goal of moving the external envelope to a second line of protection

(e.g. the ventilation doors behind the access devices) during beam

operation is to provide the maintenance teams the time to do preventive

interventions on all surface access points while the accelerator is in

beam operation.

Maintenance Doors

PS: Specification

LHC: Upgrade Spec

LHC: in Production

Any modification – a new functionality, addition of an EIS or a scope extension –

requires thorough testing of the safety code. To this end each system is

accompanied by a test platform. The LASS test platform provided a test-bed for 2

out of 9 LHC sites at a time. The drawbacks of this testing solution are the need for

hardware reconfiguration of the I/O modules when changing the simulated LHC

sites and a very basic simulator user interface. In the PS, composed of 19 different

machines, each with specific configuration, a more versatile test platform is needed

to be able to cope with testing of possible extensions. It will be based on Siemens

SIMBA module which allows emulation of any I/O configuration without costly

hardware reconfiguration and SIMIT software tool facilitating simulation scenarios.

New Simba/SIMIT Test Platform

PS: Proto 4Q 2011

Access Point Controller Rationalization

PS: Proto 4Q 2011

Removing the EIS-beam from an

Interlock ChainThe EIS-beam are surveyed by the LASS

permanently. Should they quit their safe state in

access mode, the LASS blocks access and, in

case of multiple failures, orders evacuation of the

LHC. EIS-beam can only undergo maintenance

during a complete shutdown of the accelerator

complex. This is regulated by a strict procedure.

In order to facilitate their disconnection from the

system using special “out-of-chain” keys,

additional safety functions have been introduced.

As long as all the EIS-beam are not connected,

the upstream chain interlock will not allow beam

operation.

In the LHC, most of the originally installed magnetic door sensors have

been recently replaced by more robust electromechanical contacts.

These are not affected by the magnetic fields, but need delicate

adjustments. For the PS, a thorough campaign of EMC measurements

has been done prior to choosing the access equipment locations.

EMC Improvements

PS: Studies OK

LHC: Modif Done

LHC: Upgrade

StudiesPAD Control and Safety Synchronisation

A safety action applied in the middle of an access cycle may in some cases result

in the LASS briefly registering both the inner and the outer PAD doors opened,

which results in a patrol drop. The separation of process control and safety does

not preclude synchronisation of the control tasks with the safety actions and the

currently designed PS access devices should have one PLC running the two tasks

in two processes, with safety having a higher priority, but the control being well

synchronised.

Less Controllers in the Access Devices

An LHC access point composed of one PAD and a MAD is equipped with a total of

5 industrial controllers and a PC. The PS personnel safety system architecture will

use only 2 controllers and one PC.

Anti-Fraud Detection as a Safety Function

The critical detection of a fraudulent passage in access devices - human presence

in a MAD and multiple persons in a PAD - is currently performed by local Industrial

controllers. This may lead to the unavailability of the devices in case of failure of

one of the controllers. To improve the dependability of these processes it was

decided to implement them as new safety instrumented functions of the PS safety

system. Moreover, the PS PAD model chosen is more rigid and provides less

internal volume making it virtually impossible to fraud.