

# Software Interlocks System "machine protection"



# 1) Abstract

In the year 2006, a first operational version of a new Java-based Software Interlock System (SIS) was introduced to protect parts of the SPS (Super Proton Synchrotron) complex, mainly CNGS (CERN Neutrinos to Gran Sasso), TI8 (SPS transfer line), and for some areas of the SPS ring. SIS protects the machine through surveillance and by analyzing the state of various key devices and dumping or inhibiting the beam if a potentially dangerous situation occurs. Being a part of the machine protection, it shall gradually replace the old SPS Software Interlock System (SSIS) and reach the final operational state targeting LHC (Large Hadron Collider) in Q4 2007. The system, which was designed with the use of modern, state-of-the-art technologies, proved to be highly successful and very reliable from the very beginning of its existence. Its relatively simple and very open architecture allows for fast and easy configuration and extension to meet the demanding requirements of the forthcoming LHC era.

# 2) High Energy Beams

Airbus 380:



The energy of an A380 at 700 km/hour corresponds to the energy stored in the LHC magnet system.

**Energy stored** in beam





High energy beams are dangerous for equipment!

The energy

stored in an SPS

and LHC beam is

orders of magni-

tude above the

damage level of

The energy of one shot (5 kg) at 43'000 km/hour corresponds to the 350 MJ of energy stored in the beams

High intensity LHC extraction test in SPS incident in 2004.



# 3) Beam Interlocks System (Hardware)

Both SPS and LHC must be protected by Beam Interlocks System. The role of **BIS** is to prevent injection and extraction or dump the beam whenever a failure may lead to a damage of accelerator components. The BIS reaction times are on the time scale of microseconds, limited mostly by transmission delays in electrical components. BIS is designed to provide very high safety and availability since it has to protect very costly equipment. In practice the coverage is limited for historical and

accelerator.

#### 4) Key Requirements

The SIS system has to:

- anticipate failures and give early alarms
- accommodate complex interlock logic
- be flexible
- be easy to configure
- complement BIS

### 5) Architecture

#### Layered architecture

SIS is composed of two main layers working independently from each other:

- Data Acquisition Layer
- Data Processing Layer Components are managed by
- a Spring container.



#### **Boolean Expression Permit Tree**



It represents a complex interlock condition on a given set of devices. Leaves are direct individual channels that are connected directly to the equipment. Intermediate nodes represents partial results (like combined power converters state). The top node is a Permit signal that gets

exported to external systems (like BIS).

# Fault analysis

System operators have an integrated fault analysis tool which searches for typical failure scenarios. It helps answering a question of why there was an interlock.

sis-core

(cs-ccr-sis1)

Controls middleware



# **Deployment**

The system is deployed on two machines - a primary one and a backup. It uses an Oracle database for persistence and a JMS broker for remote access.

# 6) Configuration

The configuration is stored in a separate project in CVS. There are two main XML

- Parameter subscriptions definition
- Permit trees definition

Both are generated with Velocity template engine to avoid text duplication and facilitate splitting large files

into smaller ones. #parse("cern/sps/sis/config/sps-sis-macros.vm")
<ParameterSet name="CMW-SET" restartPolicy="ONCE"> #parse("cern/sps/sis/config/SPS/LSS4-Septa-#parse("cern/sps/sis/config/SPS/LSS6-Septa-#foreach( \$pcName in \$TI2PCList) <Parameter id="ctim://ctim/CTIM.SPS/SX.SCY-CT" > <Selector id="SPS.USER.ALL" onChange="false"/> <Parameter id="MDLV2201M" ame="MDLV2201M/STATUS" >



Transfer Line/Target-Area-<ValueCondition cycleAware="false" acqWindow="45000"</pre> index="3" operator=">" value="122" /> <Test refid="NORTH ZS HV ON" /> <Test refid="NORTH ZS1 IONTRAP"/> </LogicalCondition> LogicalCondition operator="OR"> <Test refid="MODE TT60 NO EXTRACTION" <Test refid="LSS6 TT60 TRANSFER LINE" / <BICExporter target="CIB.BA6.TT60A"/> <TimingExporter target="I S.SIS TT60"/> <Selector id="SPS.USER.ALL" onChange="false"/> <Parameter id="QSLD2201" name="QSLD2201/STATUS">

#### 7) Graphical User Interface

The core of the system is controlled by a **GUI interface**. Its main goal is to provide a view to the configuration and current state of the system. Operators can see the faulty channels and analyze them with the analysis tool. Two main layers of the system are viewed



# 8) Conclusions

As of today SIS successfully surveys over 1200 individual software channels for the SPS accelerator. It has become a vital tool for everyday operations. It will be used to control the LHC machine. The applied architecture has proven itself very reliable in practice making the SIS project a great success at CERN.

practical reasons. This is the origin of the need for Software Interlocks System to provide further protection of the







Spring