Transcript LCLS Personnel Protection System An introduction to the LCLS PPS LCLS PPS - P.Bong.

LCLS
Personnel Protection System
An introduction to the LCLS PPS
LCLS PPS - P.Bong
Introduction

The LCLS Injector will produce electron
bunches with an energy of 135 MeV and
will be steered by a series of magnets.
Hazard analysis was performed and
passive hazard abatement controls
applied. After applying passive controls an
engineered protection system was
deemed to be necessary. The LCLS
Injector is a shielded housing with a single
entrance.
LCLS PPS - P.Bong
Breakdown
Logic Description
 PPS Theory of Operation
 Hardware
 Appendix

Beamline component hazard analysis
 Beamline Schematic
 Architectural Drawings

LCLS PPS - P.Bong
Logic Description
LCLS PPS - P.Bong
Technical Basis Document

The Radiation Safety Systems Technical
Basis Document (SLAC-I-720-0A05Z-002)
is the guideline for designing the
Personnel Protection System.
LCLS PPS - P.Bong
Hazard Analysis

Appendix A contains a list of all the
hazards along with the credible power
output.
LCLS PPS - P.Bong
Passive Hazard Abatement
Shielding has been calculated and
installed in the housing between Sector 20
and the LCLS Injector.
 All Electrical Hazards exceeding 50 volts
or 10 joules will be covered.

LCLS PPS - P.Bong
Engineering Controls for Hazards




The gun is a source of prompt radiation. The gun power supply will
be redundantly interlocked. The gun will be permitted when the
LCLS Injector Housing is in No Access with a Search Reset and the
Linac housing is searched and timed out for beam operation.
There is one back beam stopper for the LCLS Injector housing
(RST-1). This stopper is interlocked to the 2-29 PPS Security Loop
which provides permits to VVS 1A through VVS 15. The stopper
may be extracted when the LCLS Injector Housing is in No Access
with a Search Reset.
A BSOIC has been installed inside the LCLS Injector housing to
detect radiation from the Linac. The BSOIC is interlocked to the 2-29
PPS Security Loop which provides permits to VVS 1A through VVS
15.
The LCLS Injector also includes laser light hazards. A Laser Safety
System which is independent of the LCLS PPS will be used to
insure personnel protection from laser light. The LCLS-LSS will be
built using a PLC.
LCLS PPS - P.Bong
PPS Theory of Operation
LCLS PPS - P.Bong
3 State Access Control System

The LCLS PPS will have a three state
access control system consisting of
No Access
 Controlled Access
 Permitted Access

LCLS PPS - P.Bong
Interlocks for Safe Entry
The access control system will have a
keybank to provide tokens to personnel
accessing the housing. No changes in
access state will be allowed when the
keybank is missing tokens.
 The entry module into the LCLS Injector
will have a door and a gate. Both the door
and gate will be interlocked with redundant
sense switches.

LCLS PPS - P.Bong
Warning Lights and Signs
The access module will have posted
warnings to indicate that the enclosure is a
radiological area.
 An annunciator sign above the door will
indicate the current access state.
 A Yellow/Magenta light will indicate the
safe/running status of the LCLS Injector
enclosure.

LCLS PPS - P.Bong
Search and Audio/Visual Warnings


The administrative search will be facilitated with
the use of a Search Preset key-switch inside the
Injector housing and a Search Reset key-switch
at the entry module. After the search is set and
all interlocks are reset the LCLS Injector housing
may be set to the state of No Access.
When the LCLS Injector is set to No Access the
lights will flash and an audio announcement will
play for the duration of two minutes. After two
minutes of audio/visual warning the lights will be
extinguished, the audio will be silenced and the
gun will be permitted to be turned on.
LCLS PPS - P.Bong
Emergency Entry/Exit Provisions
The entry module door will be locked with
a magnetic lock.
 In case of emergency the magnetic lock
may be defeated by an Emergency Entry
or Exit (E/E) pushbutton located next to
the door.
 Activation of the E/E button causes a loss
of the interlock summary as well as a loss
of the search preset and reset.

LCLS PPS - P.Bong
Gun Permits

The gun is permitted to be turned on only
after all interlocks are reset, the area is set
to No Access with the two minute timeout
complete, the Linac set to No Entry and
timed out with the 2-29 Security Loops
complete.
LCLS PPS - P.Bong
Stoppers and BTMs



There are no forward beam stoppers for the
LCLS Injector.
Linac beam is prevented from entering the LCLS
Injector housing by the back beam stopper RST1. RST-1 may be opened and beam injected into
the Linac only when the LCLS Injector housing is
secure and in No Access with the 2-29 security
loop complete.
RST-1 has an associated BTM to detect stopper
damage.
LCLS PPS - P.Bong
Security Violation and Response



Any security violation will cause a loss of the
search preset and reset status and will cause a
loss of redundant permits to the gun.
The 2-29 security loops will loose the summary
status and turn off VVS-1A through VVS-15
when RST-1 (LCLS Injector back beam stopper)
is out.
The Linac must be timed out after a violation to
the 2-29 PPS Security Loops to restore permits
to the VVS.
LCLS PPS - P.Bong
Hardware
LCLS PPS - P.Bong
General Hardware



Materials that resist radiation are used for
components located in areas where radiation
levels are high enough to cause radiation
damage.
Cables will be contained in tray or conduit.
Where tray or conduit is not economical or
feasible the cable will be armored.
All logic components and cross connects will be
contained in locked racks or locked electrical
cabinets.
LCLS PPS - P.Bong
Programmable Logic Controller
The PLC Selected for use in SLAC PPS is
the Allen Bradley ControlLogix system with
diagnostic input and output modules.
 The Programming and Debugging Tool for
ControlLogix is RSLogix 5000.
 This Allen Bradley system was chosen for
the body of experience available here at
SLAC and the MTBF data available for
components in this family of products.

LCLS PPS - P.Bong

Self Checking


Modular


The ControlLogix architecture provides the user with
methods of detecting and reacting to faults in the
system.
PLC modules are swappable. Modules may be
electronically keyed to prevent incorrectly configuring
the system.
Testability

The RSLogix 5000 software provides programmable
tests for system integrity. When faults are detected
the software will set the system to a safe state and
warn the operator of a fault.
LCLS PPS - P.Bong
Redundancy

The LCLS Injector PPS will be controlled
by two independent PLCs. The PLCs will
run different versions of software
developed by two programmers.
LCLS PPS - P.Bong
Security




The PLC will be secured in a locked PPS rack.
The PLC will have a standard TCP/IP connector. The
TCP\IP connection is for local diagnostics and the PLC
will not be connected to a network.
Communication with control system will be limited to
discrete bits from input and output modules. The
information provided by the bits must be deciphered by
the control system and the PLC thus limiting the
messages that can be sent between the two systems.
A hardwired permissive signal will be sent to the PLC in
concert with the control system communication to
authenticate all messages sent to the PLC.
LCLS PPS - P.Bong
Configuration Control




Configuration of the PPS is tightly controlled in
accordance with the SLAC Guidelines for Operations.
Requests for system modification must be submitted in
writing to the PPS Group Leader. The PPS Group
Leader will assign an engineer to the task.
Prior to modification the PPS group will submit relevant
documentation to the ESD Safety Systems Review
Officer. The SSRO will coordinate the review process
and grant permission to proceed with modification.
Modification of the PPS will proceed in accordance with
the SLAC Guidelines for Operations section 14
Configuration Control of Radiation Safety Systems.
LCLS PPS - P.Bong
Regular Certification

PPS will be certified regularly in
accordance with the SLAC Guidelines for
Operations section 27 Testing of
Personnel Protection Systems.
LCLS PPS - P.Bong
Technical Problems

The system has yet to be presented to the RSC for approval


The communications protocol has to be determined.



Protocols that can link TCP/IP messages to the PPS controller are
unacceptable.
Luc Lessard at SSRL and I are working on method that passes an array
of discrete bits between the control system and the PLC.
The cableplant may be 30% denser than initially estimated.


The presentation is scheduled for late June.
The extra conductors would carry the N.O. side of the Form-C switches
in the field for use in diagnostic testing.
The failure mode of the PLC is indeterminate.

By using redundancy, diagnostic subroutines and periodic testing the
PPS would have to suffer multiple failures before an accident is
probable.
LCLS PPS - P.Bong