1 Introduction
The Hefei Light Source-II (HLS-II) is a dedicated synchrotron radiation facility, which can emit radiation from the infrared to the vacuum ultraviolet in both top-off and decay operation modes. It is composed of an 800 MeV linac, 800 MeV storage ring, and a transport line connecting the linac and storage ring [1].
The Personnel Safety System (PSS) is a crucial part of the HLS-II. It is used to protect the staff and users at HLS-II from radiation damage. The SiPass system is a TCP/IP based distributed access control system developed by the Siemens Building Technologies Company [2]. It was adopted to process the interlock signals in the prior version of HLS-II PSS. However, this HLS-II PSS could not provide a personnel management function, and it was ineffective for sharing information. To overcome these drawbacks, a novel PSS was designed for the HLS-II in 2017.
The programmable logic controller (PLC) and redundant technology are widely used in the design of the PSS at large scientific facilities to fulfill the requirements relating to high reliability and stability. These facilities include the Japan Proton Accelerator Research Complex [3], European Spallation Source [4], CERN with the Super Proton Synchrotron (SPS) and Large Hadron Collider [5], Stanford Linear Accelerator Center with the radiation safety systems [6], and the Institute of Nuclear Energy Safety Technology with the high intensity D-T fusion neutron generator [7].
To fulfil the requirements of the China National Standard GB18871-2002 (international basic standards for protection against ionizing radiation and for the safety of radiation sources) [8], the main design principles of the proposed HLS-II PSS are defined as follows: 1) the system needs to be hardware-based; 2) it needs to adopt a failure-safety and redundant design; and 3) it must be based on classified protection. The novel HLS-II PSS is designed based on the Siemens redundant PLC S7-412-5H under the Experimental Physics and Industrial Control System (EPICS). EPICS is a set of open-source software tools, libraries, and applications that are widely used in large scientific facilities [9-12]. The novel HLS-II PSS comprises three parts: a safety interlock system, access control system, and a radiation monitoring system. The safety interlock system is used to define the interlock logic to be implemented. The access control system is designed to restrict the access of staff and users at HLS-II, and to provide a personnel management function. The radiation monitoring system is used to monitor the dose rate in the light source and the surrounding areas.
In this paper, Sect. 2 introduces the system architecture of the novel HLS-II PSS, Sect. 3 provides the details about the design of the safety interlock system and the personnel management function in the access control system. Section 4 demonstrates the design of the operator interfaces (OPIs) and the offline performance tests of the novel HLS-II PSS, and Sect. 5 describes the development of the PLC programs and EPICS driver.
2 System Architecture
The proposed HLS-II PSS ensures personal safety by monitoring the radiation dose rate, controlling interlock signals, and executing the interlock actions. We integrated the safety interlock system, access control system, and the radiation monitoring system under the EPICS environment to enable information sharing. Meanwhile, we used the existing data archiver and alarm toolkits provided by the EPICS community to archive the historical data and publish the alarm information [13]. The system architecture of the novel HLS-II PSS consists of three layers: the EPICS layer, controller layer, and the devices layer, as shown in Fig. 1.
-201906/1001-8042-30-06-013/media/1001-8042-30-06-013-F001.jpg)
The EPICS layer comprises the EPICS input/output controllers (IOCs) and the OPIs. The novel HLS-II PSS consists of two IOCs, out of which the first one was responsible for monitoring and analyzing the real-time data of the safety interlock system and access control system using the PLC. The data of the radiation monitoring system was transmitted into the second IOC. In the EPICS environment, the first IOC could retrieve the radiation monitoring data from the second IOC conveniently. The operation commands and radiation monitoring data were downloaded to the PLC. The interfaces were developed by Phoebus/Display Builder and executed on the OPIs. Phoebus is an update of the Control System Studio toolset that employs generic tools and technologies available as part of the JAVA ecosystem [14].
The controller layer included only one pair of the Siemens redundant PLC S7-412-5H. The PLC could gather the IO signals and access data from a total of 14 IO stations (using fiber optic cables), and receive the radiation monitoring signals and commands from the EPICS layer. The redundant PLC pair included two high performance PLCs that backed up each other. One of them performed the function of the MASTER PLC, while the other one acted as the SLAVE PLC. During the operation, these two PLCs synchronized the programs and the real-time data over a high-speed fiber, and their roles could be switched whenever the MASTER PLC failed. As the design principle requires the system to be hardware-based, all the interlock logic and access algorithms were processed in the PLC.
In the devices layer, 14 Siemens ET200S IO stations were distributed adjacent to the 14 security doors. The input signals of the search buttons, emergency buttons and the security doors were collected into the IO stations through the digital input (DI) modules. The signals of the audible and visual alarm devices, button lamps and the interlock actions were output through the digital output (DO) modules. In addition, the data of the card reader was transmitted into the IO station via the Modbus-RTU protocol.
According to the design, 134 input signals were monitored, including 41 for search buttons, 25 for emergency stop buttons, 42 for security doors, and 26 for radiation monitoring purposes. All the signals (except for radiation monitoring) were transmitted from the IO stations. The communication between the PLC and IO stations was enabled using the PROFINET real-time protocol, and the communication cycle time was defined as 2 ms. PROFINET is the standard for industrial networking with respect to automation in data communication, and it is widely used in accelerator control systems [4, 15, 16]. The communication between the IOC and PLC was enabled using ETHERNET with a communication cycle time of 100 ms. The radiation monitoring signal was used to monitor the average of the radiation dose over a period of 5 s. Therefore, the real-time performance of this signal was not high. It was transmitted between the IOCs over the EPICS Channel Access protocol.
3 Design of the Safety Interlock System and Access Control System
The radiation monitoring system was developed based on EPICS and deployed at HLS-II in 2017 [17]. This section focuses on the design details of the safety interlock system and the access control system.
3.1 Safety Interlock System
The safety interlock system is a crucial system that processes the interlock logic. The operation of the safety interlock system comprised the following three operation states: released state, searching state and the interlocked state. Fig. 2 shows the workflow chart of the safety interlock system. Table 1 lists the definitions and actions of the different operation states.
| States | Definition | Actions |
|---|---|---|
| Released State | Release the interlock | Reset interlock logic Turn off search lamps |
| Searching State | Process to establish the interlock | Audible and visual alarm Search the interlock areas Turn on search lamps Lock the security doors |
| Interlocked State | Interlock is established | Beam injection Choose the operation mode |
-201906/1001-8042-30-06-013/media/1001-8042-30-06-013-F002.jpg)
When the facility was turned on, the safety interlock system entered into the released state. The HLS-II included three safety interlock areas: the linac, ring center and the ring hall. In the released state, the interlock system of these three areas were released. All the interlock signals were reset and the search lamps were turned off.
The search state was aimed at establishing the interlock. When the search state was initiated, the operator would inform all the individuals to leave the interlock areas using audible and visual alarms. Then the interlock areas in the linac, ring center and the ring hall were searched consecutively by the operator. If all the search buttons were pressed and the security doors were locked, the operator provided the beam permit command to transfer the operation state into interlocked state.
For the HLS-II, after the beam was injected and the beam current of the storage ring reached 360 mA, two types of operation modes, such as the top-off mode and decay mode, could be considered. The top-off mode is a high performance operation mode, in which the beam is injected every few minutes [18]. Thus, the linac and ring center were maintained in the interlocked state in the top-off mode. In the decay mode, the beam was injected every few hours, and the interlock of the linac and ring hall could be released, while the ring center was maintained in the interlocked state.
During the interlocked state, if the interlock system was released by the operator or triggered by the interlock signals, such as the emergency buttons were pressed or the radiation monitoring system detected an excessive radiation dose, the safety interlock system would cut off the timing signals of the electronic gun as well as the microwave system and transit into the released state.
3.2 Access Control System
The design of the access control system in HLS-II is based on the principle of classified protection. The interlock areas could be classified into three types, such as the high radiation area, radiation area, and the safety area, according to the radiation dose rates. If the radiation dose rate was higher than 10μSv/h, the interlock area was defined as the high radiation area. If the radiation dose rate ranged between 1μSv/h and 10μSv/h, the interlock area was defined as the radiation area. It was defined as the safety area, if the dose rate was less than 1μSv/h. Table 2 lists the safety classifications of the interlock areas in different PSS states. In the high radiation area, the access of the security doors was prohibited, and no personnel was allowed to open the doors under any condition. In the radiation area, only the staff were provided with the restricted access authority. In the safety area, staff, users, and all other personnel could open the security doors with their respective access cards.
| Operation States | Linac | Ring Center | Ring Hall | |
| Released State | Radiation Area | Radiation Area | Safety Area | |
| Searching State | Radiation Area | Radiation Area | Radiation Area | |
| Interlocked State | ||||
| Beam Enable | High Radiation Area | High Radiation Area | High Radiation Area | |
| Top-Off Mode | High Radiation Area | High Radiation Area | Safety Area | |
| Decay Mode | High Radiation Area | Radiation Area | Safety Area | |
In HLS-II, the security doors could be opened using the respective access cards. When the access card was swiped, the card information was transmitted to the PLC. Then the PLC determined the access permission according to the access authority of each card and safety classification of the interlock areas. The card number and authentication information were transmitted to the IOC and archived in the EPICS database as an event for recording and tracking. Meanwhile, the OPIs could display the access state synchronously.
In the access control system, the personnel count function was realized in the EPICS IOC using the state notation language (SNL). SNL is a domain specific programming language, which can provide a simple yet powerful tool for sequential operations in a real-time control system [19]. The number of personnel in each of the interlock areas was counted by the SNL program and the count results were recorded into the EPICS records.
4 Software Development
4.1 PLC Programs
As shown in Fig. 3, the PLC programs include two types of blocks, such as the data block and function block. The data block is used as the storage block for the PLC programs. The input and output data are stored respectively in the data blocks "DI Data" and "DO Data". The function block is used to process the safety interlock and access control signals and communicate with the EPICS IOC.
-201906/1001-8042-30-06-013/media/1001-8042-30-06-013-F003.jpg)
In the PLC programs, the input signals from the IO devices and the input data from the data block "DI Data" were retrieved using the receive function. Two types of flags, such as the lock flag and bypass flag, were defined for each signal in the preprocess function to process different types of input signals. The lock flag was designed to latch onto the transient signal, such as the signal of the search button. The bypass flag was used to ignore the related signals in the scenario of system test or maintenance.
The execution of the interlock logic and the PSS state transition among the released state, searching state and the interlocked state were managed by the safety interlock function. The access control function was used to process the access algorithms and control the security doors. The send function was used to output the interlock signals to the IO devices and record the output data to the data block "DO Data".
The communication function was used to define the communication cycle and the size of the communication frame, establish the communication links, and exchange data with the EPICS IOC. The role of the PLC could be determined by its state parameters. Only the MASTER PLC was used to transmit the data to the EPICS IOC.
4.2 EPICS Driver of Redundant PLC
The development of the EPICS driver for the Siemens redundant PLC is based on the EPICS driver "S7plc" [20, 21]. The driver was intended to connect to the PLC via the TCP/IP protocol. The EPICS IOC was set up as the TCP client, and the PLCs were set up as the TCP server. Fig. 4 demonstrates the structure of the EPICS driver.
-201906/1001-8042-30-06-013/media/1001-8042-30-06-013-F004.jpg)
The EPICS driver includes four types of threads, such as the manager thread, link thread, data receive thread, and the data send thread. After the IOC driver was initialized, the two link threads attempted to establish the TCP circuits with the redundant PLC pair periodically. Once successful, only the MASTER PLC transmitted data to the IOC. This behavior was used to distinguish the role of the redundant PLCs in the manager thread. The data receive thread and the data send thread were used to exchange data.
During the communication, the SLAVE PLC did not transmit data to the IOC. To check whether the SLAVE PLC was operational or not, the IOC transmitted the "ping" command periodically to the SLAVE PLC. If the MASTER PLC failed, the IOC would not receive any data. Once the SLAVE PLC switched to the new MASTER PLC, it transmitted data to the IOC. After the IOC received the data again from the new MASTER PLC, it could determine that the roles of the redundant PLCs were switched and the data was exchanged with the new MASTER PLC.
5 Offline Tests of the Developed System
5.1 OPI Design
The OPIs of the proposed HLS-II PSS comprise the OPI of the linac area and that of the storage ring area, as shown in Fig. 5(a) and Fig. 5(b), respectively. The linac area includes the linac tunnel and transport line tunnel. The storage ring area includes the ring center and ring hall.
-201906/1001-8042-30-06-013/media/1001-8042-30-06-013-F005.jpg)
The OPI could be divided into the following four parts: 1) the distribution and state of the security doors, emergency buttons, search buttons and the alarm devices; 2) personnel count and the radiation dose monitoring state in the interlock areas; 3) interlock logic diagram; and 4) the operation commands and related states. The line color in the interlock logic diagram is variable depending on the logic value. It is gray when the logic value is 0 and green when the logic value is 1.
5.2 Offline Tests
The development of the novel HLS-II PSS is complete. To ensure that that this system could function as per the design, we set up an offline test platform, as shown in Fig. 6. In the platform, the redundant PLCs and the industrial switch were installed in the cabinet. According to the location of the IO devices at HLS-II, all the buttons, lamps, and the card readers were mounted on three boards with the names "LINAC", "RING HALL", and "RING CENTER". The information screen was used to display the state of the security door and the personnel count results. In Fig.6, the OPI and part of the 14 IO stations are also shown. The IOC is not shown in the picture.
-201906/1001-8042-30-06-013/media/1001-8042-30-06-013-F006.jpg)
The offline platform was continuously tested according to the real operation situations for one month. The test results demonstrated that all the devices could function in a proper and stable manner, interlock actions could be executed effectively, and the top-off mode and decay mode could be supported successfully. Moreover, it was observed that the offline platform could function properly during the redundant PLCs switchover.
6 Conclusion
In the novel design of the HLS-II PSS, the safety interlock system, access control system and the radiation monitoring system were integrated under the EPICS environment. With this design, it is easy to share information and use the existing toolkits provided by the EPICS community. In the access control system, the personnel management function was designed for monitoring the entry and exit of the staff and users. Therefore, the HLS-II management requirements were also fulfilled.
Currently, the development of the novel HLS-II PSS is complete. The system was tested under an offline test platform for a month, and the results indicated that the novel HLS-II PSS could function according to the design requirements. The novel HLS-II PSS will be deployed during the next shutdown of HLS-II.
The upgrade project of Hefei light source (HLS)
,SiPass integrated brochure
, https://www.downloads.siemens.com/download-centerPersonnel Protection System of Japan Proton Accelerator Research Complex
,Accelerator Personnel Safety Systems for European Spallation Source
.New Concepts for Access Devices in the SPS Personnel Protection System
.Safety Integrity Level (SIL) Verification for SLAC Radiation Safety Systems
.Design of the personnel radiation safety interlock system for high intensity D–T fusion neutron generator
. J. Fusion Energ., 34: 346-351 (2015) doi: 10.1007/s10894-014-9807-1Basic Standards for Protection Against Ionizing Radiation and for the Safety of Radiation Sources
, http://www.nirp.cn/userfiles/file/GB18871-2002.pdfEPICS home page
, http://www.aps.anl.gov/epics/about.phpThe control system for water-cooled DCMS in SSRF
. Nucl. Sci. Tech. 26: 020103 (2015) doi: 10.13538/j.1001-8042/nst.26.020103The application of EPICS in TMSR radiation protection and access control system
. Nucl. Sci. Tech. 27: 41 (2016) doi: 10.1007/s41365-016-0040-7Implementation of Intelligent Data Acquisition Systems for Fusion Experiments Using EPICS and FlexRIO Technology
. IEEE T. Nucl. Sci. 60(5): 3446-3453 (2013) doi: 10.1109/TNS.2013.2281267EPICS data archiver at SSRF beamlines
. Nuclear Science and Technology. Nucl. Sci. Tech. 25: 020103 (2014) doi: 10.13538/j.1001-8042/nst.25.020103Phoebus Documentation
, https://media.readthedocs.org/pdf/phoebus-doc/latest/phoebus-doc.pdfPROFINET Entry Achive
, https://us.profinet.com/technology/profinet/PROFIENT communication card for the CERN cryogenics crate electronics instrumentation
.Dose Rate Monitor System for the HLS-II
. Dose Rate Monitor System for the HLS-II. Nuclear Electronics and Detection Technology 37:43-46 (2017) (in Chinese)Upgrade Project on Top-Off Operation for Hefei Light Source
.State Notation Language and Sequencer Users Guide
, https://epics.anl.gov/EpicsDocumentation/AppDevManuals/Sequencer/snl_1.9_man.htmlS7plc EPICS driver documentation
, http://epics.web.psi.ch/style/software/s7plc/s7plc.htmlEpics Driver for PHOENIX Contact Redundant PLC
.