MPSC Procedures An update

1
MPSC ProceduresAn update

• Alick Macpherson
• Rutgers University/ETH Zurich

2
MPSC Procedures Observations

• Purpose
• Procedures are required for systems that can by
  their malfunctioning cause significant damage to
  LHC equipment
• Procedures are required for 3 types of system
• Central system This is the BIS.
• Standard System A system that interfaces only
  to the BIS
• Complex System
• A system supplies inputs to systems in addition
  to the BIS.
• A system that reacts to signal from the BIS (ie
  BEAM_INFO, SAFE_Machine parameters)
• Examples
• Central BIS
• Standard PIC, WIC, FMCM
• Complex Vacuum, BLM, LBDS
• Systems not (yet) included in the MPSC procedures
• Electron stoppers (RF), Access, Movable objects
  

3
MPSC Procedures Status
System 1st Draft Edit Status EDMS Ready MTF Ready
Access ? - - No
BIS Yes Updated Yes No
BLM Not yet - - No
Collimators Not yet - - No
FMCM Yes Minor edits No No
Injection System No - - No
LBDS Yes Edits needed No No
PIC Yes Minor edits No No
Vacuum system Yes Edits needed No No
WIC Yes Minor edits No No
4
Timetable for Completion of Procedures

• All out-standing procedures submitted to Jan by
  1st October.
• Procedures returned to groups after review/cross
  check by Jan/Alick
• Expect 1 week per procedure for review and
  feedback and 2 weeks for corrections.
• Target Review 1 procedure per week.
• Review process started with BIS procedure
• From 1st October, start EDMS checking procedures
• Tareget 1 per week.
• Start with BIS procedure
• As EDMS approval finishes, transfer to MTF.
• Allow 1 week for transfer to MTF
• Look to have all procedures in MTF by mid
  December
• Collimator procedure linked to presentation at
  MPSCWG on 3rd Oct

5
Procedures More Observations

• Most procedures have had a first revision
• Still awaiting some procedures
• Question is data/state logging considered part
  of MPS commissioning?
• MPSC Commissioning should (where possible) be
  modular
• Use hardware commissioning to set entry
  conditions for front end systems.
• HWC Procedures results (MTF) to be confirmed by
  MPSC procedure
• Test the interface with the BIS gt complementary
  to BIS Commissioning
• Set exit conditions that allow the system to
  proceed to validations during cold machine cold
  checkout or validation with beam.
• MPSC validation must insure that there is no
  possibility of machine protection risks due to
  operator controls
• gt procedures to confirm that operators cant
  change critical settings?
• Dependency on info from BIS and other systems
  must be made clear

6
Procedures Flag concerns

• BEAM_INFO Flag
• BEAM_INFO is a mirror of the BEAM_PERMIT that is
  returned to the systems inputting to the BIC
• Questions
• Does the system initiate protective actions based
  on feedback from the BIS
• Does the system use the BEAM_INFO flag for
  critical actions
• If BEAM_INFO FALSE is used, what are the
  timescales of the actions?
• Can systems ensure that the initiation of any
  protective action is gt 3 orbits
• Assumption need a max of 3 orbits to trigger and
  dump beams
• Safe Machine Parameters Understand if/how they
  are used
• Questions
• Is toggling of USER_PERMIT conditional on the
  state of the SAFE BEAM flag
• If this happens, is the logic integrated into the
  CIBU/BIC or the user system
• Does any subsystem use SAFE_INJECTION flag as
  part of MPSC
• Does any subsystem use Movable_devices_allowed
  flag as part of MPSC

7
Observations Vacuum System

• Vacuum system good example of movable objects
• Interlock Chain includes sector valves, electron
  stoppers, Access Safety Block
• Need to confirm commissioning of redundant
  interlocking mechanisms
• ie vacuum access, vacuum RF?
• Need to commission joint system configuration
• RF commissioning mode ie sector valves open,
  electron stoppers closed
• Need to confirm protection from equipment failure
  of movable devices
• Access Safety Block
• Vacuum system provides signals directly to
  others RF, MKI, MKB, Access
• Concerns are dump requests compatible with MPSC
• Initiation of RF dump requests on loss of good
  vacuum on P1 cavity.
• RF Dump request mechanism depends on intensity
  threshold single/multiple cavity loss.
• MKI Vacuum signals used to assert injection
  inhibit. Can initiate valve closure.
• MKB Kicker interlock based on vacuum system can
  generate a dump request
• Access system Ensure that the control logic and
  configuration for the electron stoppers and
  Access Safety Block are such that there is
  redundancy in the interlocking
• Uses BEAM_INFO FALSE as a necessary condition
  for closing sector valves
• In failure mode, what are the sufficient
  conditions (eg leak detection)

8
Observations PICs and WICs

• Entry Conditions
• Front end commissioned in HWC
• Need to re-confirm procedures and MTF results
  from HWC
• Focus on PICBIS and WICBIS validation
• PIC and WIC treats both beams simultaneously
• Dump request applies to both beams simultaneously
• PIC specific features
• PIC does not use USER_PERMIT_A and USER_PERMIT_B
• Uses unmaskable and maskable USER_PERMIT instead
• Timescale Concern
• Is system reaction to fault detection
  (BEAM_INFOFALSE) too fast for completion of beam
  dump. Essential Circuit fault detection few
  ?s
• SAFE BEAM Flag and Auxiliary circuits
• Need to confirm location of interlock truth table
  for Auxiliary circuit faults SAFE_BEAM
• WIC specific features
• Timescale concern
• Is system reaction to fault detection
  (BEAM_INFOFALSE) too fast for completion of beam
  dump. Fault detection for Fast Boolean Processor
  of WIC 1 ?s

9
Observations BIS

• Procedure almost ready for checking via EDMS.
• Validation of subsystem interface with BIS
  requires
• Valid USER_PERMITs (or reasonable USER PERMIT
  simulator?)
• Clear statement of subsystem functionality wrt
  BIS
• BIS logic
• Clarification that all logic for setting
  BEAM_PERMIT to FALSE is within the BIS system
• Confirm there is no safe machine parameter
  dependence attached to the USER_PERMIT.
• USER_PERMIT as received by the BIS Clarify
  difference between A AND B FALSE and A OR B
  FALSE when setting the BEAM_PERMIT (during
  commissioning)
• Timing issues
• Validation of worst case time from user system
  toggling the USER PERMIT to completion of a beam
  dump gt confirm fastest reaction timescale

10
Observations FMCM

• Entry conditions established by HWC
• Commissioning in situ and with pilot beam
• Beam time at 450 GeV and 7TeV beam is needed to
  set trigger thresholds and trigger time-window
• FMCM inputs only into the BIS
• Inputs are maskable
• Special commissioning mode
• FMCM test mode can set USER_PERMIT FALSE on
  request
• Need to confirm this mode cannot be invoked
  during running
• Data logging essential
• used to set trigger threshold for USER_PERMIT
• Included in MPSC procedure

11
Observations LBDS

• For MPSC, LBDS is a complex system
• Beam dump related Inputs
• BEAM PERMIT loop trigger from BIS
• Direct TCDQ BLM trigger (independent of BIS)
• Direct Access system trigger (independent of BIS)
• Interlock related Outputs
• LBDS USER_PERMIT
• Can LBDS set its USER_PERMIT to FALSE with beam
  in the machine?
• Injection Inhibits sent to injection kickers and
  re-phased RF revolution frequency sent to abort
  gap watchdog
• Commissioning needs to be cleanly divided into
• Individual User system tests, Hardware
  Commissioning, and MPSC tests.
• MPSC entry conditions must confirm previous test
  sets
• Use MPSC tests to validate chain of control prior
  to the LBDS Reliability Run
• detailed 1st draft but needs more focus on MPSC
  for a non-ideal situation.
• Address issues and modes of (partial) failure of
  component user systems
• Implications of lost abort gap synchronisation
  from the RF
• Partial loss of communication with injection
  system

12
Summary

• Procedures
• 1st drafts of available procedures have been
  reviewed.
• Will circulate back to subsystems for corrections
  and cross checks.
• Need to get all out-standing 1st drafts
• Submit revised procedures for EDMS approval then
  to MTF
• Start process now and finish by mid December.
• Global picture
• Assess interdependencies between systems in
  relation to MPSC
• Clarify if any automated actions are based on
  feedback from the BIS
• If so, ensure timescales are compatible with
  integrated system response
• Require procedures confirm no operations
  influence on critical settings
• Address MPSC risks for partial failure modes,
  especially in complex systems like the LBDS
• Understand/review implications to protection
  given different states of the safe machine
  parameters ( SAFE_BEAM, SAFE_INJECTION etc)
• Ensure that any safe machine parameter dependent
  interlock logic is in BIS

13
Spare Stuff
14
(No Transcript)
15
Access Safety Block

• Covered by both Access and Vacuum system
  interlocks
• Time scale for closure is slow ( 3sec) gt much
  slower than beam dump.