10th of April 2003 ATLAS “MSS Specification”

Magnet Safety Systems – Magnet Magnet Safety Systems – Magnet Common ProjectCommon ProjectE. Sbrissa, G. Olesen – CERN/EPE. Sbrissa, G. Olesen – CERN/EP

2.4 Fail-safe operation2.4 Fail-safe operationAll connections around the MSS are “fail-safe” types, that is, if a All connections around the MSS are “fail-safe” types, that is, if a

connection is broken the system will by default initiate an connection is broken the system will by default initiate an action to bring the machine to a safe state. This principle is action to bring the machine to a safe state. This principle is shown in figure 2. 4.1.shown in figure 2. 4.1.

During operation of the magnet, but only at low currents, the cavern During operation of the magnet, but only at low currents, the cavern can be accessible and cable disconnections can therefore can be accessible and cable disconnections can therefore occur. These fall into two groups:occur. These fall into two groups:

1.1. Analogue sensors cable errorsAnalogue sensors cable errors 2.2. Digital signals cable errorsDigital signals cable errors

Any disconnections of cables in the safety chain produce a cable Any disconnections of cables in the safety chain produce a cable trace error, which will be registered by the MCS via the MSS trace error, which will be registered by the MCS via the MSS monitoring system, see also figure 2.3.2. The logic of the MCS monitoring system, see also figure 2.3.2. The logic of the MCS will then decide what action to take. The cable traces are also will then decide what action to take. The cable traces are also part of the start-up tests and initial current cannot be allowed in part of the start-up tests and initial current cannot be allowed in the magnet if all traces are not connected. the magnet if all traces are not connected.

Disconnecting any of the analogue sensor cables will cause emission Disconnecting any of the analogue sensor cables will cause emission of an “Alarm” or initiation of a “Slow Dump”.of an “Alarm” or initiation of a “Slow Dump”.

From the analogue chassis and onwards signals in the safety From the analogue chassis and onwards signals in the safety chain are digital. A disconnection of a cable will here initiate an chain are digital. A disconnection of a cable will here initiate an action associated with the highest level of safety contained in action associated with the highest level of safety contained in the cable, due to the “fail-safe” principle used. The resulting the cable, due to the “fail-safe” principle used. The resulting action is usually a “Fast Dump”, necessitating a subsequent action is usually a “Fast Dump”, necessitating a subsequent reset of the whole MSS.reset of the whole MSS.

10th of April 2003 ATLAS “MSS Specification”

Magnet Safety Systems – Magnet Magnet Safety Systems – Magnet Common ProjectCommon ProjectE. Sbrissa, G. Olesen – CERN/EPE. Sbrissa, G. Olesen – CERN/EP

Galvanic isolation:> 2 kV

Cable trace

Inputprotection/

Signalconditioner

Sensor inputFiltering/Voltage

discrimination

Analog levelSurveillance by over-range

Over-range

Analog Module

Power

Cabletrace

Analogoutputs

Timediscrimination

Level fail-safeOpto normally ON

Monitoringsystem

Modulefault

Level fail-safeOpto normally ON

Level fail-safeOpto normally ON

Digital InputModule

Digitaloutputs

Level fail-safeOpto normally ON

Hard-wired Logic Module.Second section not shown.

Monitoring/Cable trace

Monitoringsystem

Clock ALTERA

Monitoring

MCS/Annunciator

MCS/Annunciator

Cable fail-safe.If cable isdismounted, allalarms/warningsare active.

LCS-Logic Chassis System

API/APC-Application Interfaceand Control

Fail-safeRelais normallyON

Cable fail-safe.If cable isdismounted, fastdump is initiated.

Monitoring/Cable trace

Monitoringsystem

MCB, CP, CR,etc.

10th of April 2003 ATLAS “MSS Specification”

Magnet Safety Systems – Magnet Magnet Safety Systems – Magnet Common ProjectCommon ProjectE. Sbrissa, G. Olesen – CERN/EPE. Sbrissa, G. Olesen – CERN/EP

2.4 Fail-safe operation2.4 Fail-safe operationThe exceptions to the fail-safe principle are the analogue levels, by The exceptions to the fail-safe principle are the analogue levels, by

definition, and the ALTERA integrated circuit used for the logic definition, and the ALTERA integrated circuit used for the logic program.program.

Window detectors on the modules, which will signal an out-of-range to Window detectors on the modules, which will signal an out-of-range to the MSS monitoring system, monitor the analogue levels. This the MSS monitoring system, monitor the analogue levels. This detects the cases where an analogue circuit has an internal detects the cases where an analogue circuit has an internal short-circuit and the level is close to the supply voltages.short-circuit and the level is close to the supply voltages.

Due to the internal structure of the ALTERA circuits it is not possible Due to the internal structure of the ALTERA circuits it is not possible to certify that these are fail-safe. MSS will here rely on the to certify that these are fail-safe. MSS will here rely on the quality and estimated life-time of these. The ALTERA quality and estimated life-time of these. The ALTERA corporation regularly up-dates their reliability reports for their corporation regularly up-dates their reliability reports for their circuits, and the latest, showing the data relevant to the circuits, and the latest, showing the data relevant to the ALTERA used in MSS, can be seen in appendix 2.4.1.ALTERA used in MSS, can be seen in appendix 2.4.1.

It is here stated, that the corporation is ISO 9001, MIL and JEDEC It is here stated, that the corporation is ISO 9001, MIL and JEDEC certified, and uses recognized methods for reliability testing.certified, and uses recognized methods for reliability testing.

The chip in question, EP20K200, has a combined FIT (Failure In Time) The chip in question, EP20K200, has a combined FIT (Failure In Time) of 24 (page 13), meaning one estimated failure in 42 million of 24 (page 13), meaning one estimated failure in 42 million device hours.device hours.