alarms and interlocks handling in the fsm environment hypernet 1.the standardization of the fsm...
TRANSCRIPT
Alarms and interlocks handling in the FSM environment
Hypernet
1. The standardization of the FSM state diagram;
2. The FSM error states and their recovering procedures;
3. An overview on the CAEN, WIENER and ISEG interlocks inputs
4. Conclusions
1. The standardization of the FSM state diagram;
2. The FSM error states and their recovering procedures;
3. An overview on the CAEN, WIENER and ISEG interlocks inputs
4. Conclusions
The Standardization in the FSM environment
The FSM approach in designing a CS allows for to define an “Insulation layer” between the operator and the detector during the detector operation. Except the highest state diagram, the underlying others may be unknown to the operator. However, to let any ALICE operator, to accomplish a recovering procedure (e.g. form the ERROR state) on different sub-detectors but on the same sub-system (HV, LV…), then it would be wise to have a common approach in designing the state diagram also for the sub-systems. If welcomed at the level of sub-system, the FSM standardization is mandatory at level of sub-detector operation. This is intended to let the ALICE DCS layer to send the same series of command to operate simultaneously all the sub-detectors and easily calculate the overall ALICE logical state.
ECS
TRD DCSHMPID
DCSTPC DCS
Trigger
TRD TRHMPID TRTPC TR
DAQ
TRDHMPIDTPC
HV
LV
Standard State Diagrams
ALICEDCS
Sub-detector oriented
State Diagrams
YES
NOwise
First attempt: TPC and HMPID
THE HMPI D HV Subsystem ( 7 Modules) STATE DIAGRAMGo_Standby
OFF
CONFIGURE
RepairAcknowledge
All channels offWith PS ON
After the download of recipes all Modules are at Standby
Go_OFFGo_ONReset
STANDBY
RAMPING_DOWN
RAMPING_UP
ERROR
ONAt least one ModuleIs ramping down
All Modules in StandbyAt least one Module is ramping up
From any stateupon Reset
Alarm conditions pushing the system in ERROR:•External Interlock (Gas, SS…)•Sy1527 fan tray failure•Sy1527 AC unit failure•Uncalibrated boardIn this state all the HMPID HV channels are switched OFF.
Go_RampDWReset
Alarm conditions
The TPC HV state diagram
CONFIGURED
HW_READY
INTERMEDIATE
CONFIG
ON
ERROR
GO_INTERMEDIATESWITCH_OFF
CONFIGURE
SWITCH_OFF
OFF
STARTSTOP
NOT_READY
STOP
START_HWSTOP_HW
RECOVER
RAMPING_DOWN
CONFIG
CONFIG
STOP_HW
CONFIGURESET_CONFIGURATION
CONFIGURESET_CONFIGURATION
CONFIGURESET_CONFIGURATION
START_HW
RAMPING_UP
RAMPING_DOWN RAMPING_UP
START
Kindly provided by U. Frankenfeld
At least one channel tripped at voltages above INTERMEDIATE voltage
At least one channel tripped at voltages above INTERMEDIATE voltage
GO_INTERMEDIATE
THE STATE DIAGRAMof the HV for one HMPI D module
Go_Standby
OFF
CONFIGURE
RepairAcknowledgeReset
All channels off
After the download of recipes all channels at Standby
Go_OFFGo_ONReset
STANDBY
RAMPING_DOWN
RAMPING_UPERROR_REPAIR
X% of channels on
Go_RampDWReset
ON
max?
At least onechannel tripped
#trips < 4
#trips ≥ 4
#trips ≥ 4Upon Acknow ledge
At least one channel rampingdow n
All channels at StandbyAt least one channel ramping up
Trips? At least one ch tripped
Yes
From any stateupon Reset
CH Trip?
At least onechannel tripped
#trips < 4
CONFIGURED
RAMPING_DOWN_LO
OFF
RAMPING_UP_LOERROR_LO
INTERMEDIATE
CONFIG CONFIG_LO
CONFIG_INTERMEDIATE
RAMPING_DOWN RAMPING_UP
ON
CONFIG_ON
ERROR
RAMPING_DOWN_CONF
GO_INTERMEDIATE
CONFIGURE;SET_CONFIGURATION
CONFIGURE
CONFIGURESET_CONFIGURATION
START
SWITCH_OFF
CONFIGURESET_CONFIGURATION
RECOVER
STOP
RECOVER
SWITCH_OFF
START
STOP
STOP
RAMPING_DOWN_EM
EMERGENCY_OFF
ALL STATES
START
GO_INTERMEDIATE
SWITCH_OFF
The TPC HV channel SD
13.2. Alarm Handling from the JOCOP FW sub-project guidelines and convention document
Following the guidelines of the AWG the intention of an alarm is to bring an anomaly situation to the attention of an operator and as such alarms are considered to be messages which are displayed to the operator via the alarm display and that are logged. An alarm does not initiate an action. Should an action be required then this should be handled within the FSM.
An alarm has several properties:
· Its Origin, which is used to identify the source of an alarm.
· Whether or not the alarm requires acknowledgement.
· Its Severity Level, which is used to characterise the seriousness of the alarm.
· Its Dependencies on other alarms.
· Certain Additional Details about the alarm.
Alarm sources
ALARM NOTIFICATION in PVSSSystem RECOVERING on alarms in FSM
Alarm notification in PVSS and the FSM system recovering
SMI Control Unit
SMI Device Unit
Hardware Device
Work in progress
Ready
HVMod 1HVPS1
CAENSY1527HV PS
PumpingSt
GASCOOL Phis. Par
WI ENERPL500F8
LV PS
CoolingSystem LV/ FEE
LVPS14 FEEMod 1
LVPS1LVPS1
HV LV/ FEE
GAS
HMPI DDCS
HMPI DDCS
PLCLCS, P,T
LCS
LCSMod 1
HMPI D DCS sof tware architectureHMPI D DCS sof tware architecture
An example of HV system recovering on different alarm severity
1. On the PVSS warning the operator is prompted via a color coded message on the MMI. No FSM automatic actions are taken.
2. ERROR_REPAIR: this is a FSM state that becomes active, at the level of the module Device Unit, as soon as one or all the HV linked channels are in trip. Then according to the number of the tripped channels, the module is automatic switched off and then the operator is allowed to recover the module from the fault condition. It doesn’t activate the highest HV Control Unit ERROR
3. ERROR: this is a FSM state that becomes active, at the level of HMPID HV CU, on the occurrence of the SY1527 failure (fan failure, un-calibrated board, external interlock..) or on more than 3 modules in the ERROR_REPAIR state. In this case all the HMPID HV is switched off and the ERROR state notified to the ECS for the sub-detector recovering procedure.
.SY1527
HMPID DCS
M5 M6
GAS ERRORLVLCSHV
HVLV
LCSHVLV
LCS
HVLV
LCSHVLV
LCS HVLV
LCSHVLV
LCS
HVLV
LCSHVLV
LCS HVLV
LCSHVLV
LCS
HVLV
LCSHVLV
LCS
HVLV
LCS
M1
M7
M4 M5
M2 M3
M6HMPIDERROR
To the ECS for the ERROR recovering procedure
M7M7
HV sub-system CS
M4
M1 M3To the HMPID DCS ERROR Handling
HV ERROR
S1 S6EXT. INTER.
ERROR_REPAIR Panels
Interlocks
CAEN SY1527Kill input: all the channels switches OFF (regardless RMPDW setting), both TTL/NIM signal are accepted.Interlock input:. Both Open/close contact logic availableRemote Power On: 12V 50 mA
WIENER PL500Interlock input : + 5 V (on 500 normally open relay) to keep ON the power unit. Removing the 5 V, the PS switches OFF
ISEG HV modulesSafety loop=Interlock input : 5mA < Is< 20 mA HV ON;Is< 5 mA HV OFF
The cross-system interlock activation represents the most sever alarm condition for a subsystem. In this case the DCS goes directly in the major ERROR state. This must be propagated to the ECS level to start the recovering procedure for that sub-detector.
The levels and logics accepted by the PS units suggest as Interlock line source a TTL signal provided via a (normally open) kept closed relay when the source system is OK. On the system failure (interlock active) the interlock relay has to be released, removing the TTL level from the PS units that consequently will switch OFF. This logic is now adopted by CERN group providing the GAS control systems.
The levels and logics accepted by the PS units suggest as Interlock line source a TTL signal provided via a (normally open) kept closed relay when the source system is OK. On the system failure (interlock active) the interlock relay has to be released, removing the TTL level from the PS units that consequently will switch OFF. This logic is now adopted by CERN group providing the GAS control systems.
Dedicated meetings
1. To define the standard HV and LV state diagrams
2. To define the FSM ERROR states with respect to the Alarm severity
3. to start the FSM design for each sub-detector.
All the HMPID DCS software will be made available on the web as a DCS example
Suggestion/proposal
Conclusions1. In order to standardize the sub-system operation and
the error recovering procedure (Hv, LV,…) on the different ALICE sub-detectors, it is wise to standardize as much as possible the subsystem state diagrams along with the sub-detector state diagrams.
2. So far, on the ERROR recovering procedure there are the following examples:1. According to the Alarm severity in the HMPID DCS
there are two error states: ERRO_REPAIR and ERROR;
2. In the TPC DCS just one: ERROR .3. An overview on the Interlock inputs on the CAEN,
WIENER and ISEG power supplies, has shown that a TTL signal, provided via a normally open relay, kept close by the interlock system source on the running condition, can provide a commonly accepted signal level and logic.