A Beam Interlock System for CERN High Energy Accelerators by Todd, Benjamin
A Beam Interlock System
for CERN High Energy
Accelerators
A thesis submitted for the degree of
Doctor of Philosophy in Electrical and Electronic Engineering
Benjamin Todd
School of Engineering and Design,
Brunel University, West London.






















The Large Hadron Collider (LHC) at CERN (The European Organisation for Nuclear Research) is
one of the largest and most complicated machines envisaged to date. The LHC has been conceived
and designed over the course of the last 25 years and represents the cutting edge of accelerator
technology with a collision energy of 14TeV, having a stored beam energy over 100 times more
powerful than the nearest competitor. Commissioning of the machine is already underway and
operation with beam is intended for Autumn 2007, with 7TeV operation expected in 2008. The
LHC is set to answer some of the fundamental questions in theoretical physics, colliding particles
with such high energy that the inner workings of the quantum world can be revealed.
Colliding particles together at such high energy makes very high demands on machine operation
and protection. The specified beam energy requires strong magnetic fields that are made in
superconducting dipole magnets, these magnets are kept only around two degrees above absolute
zero and there is a high chance of particle impacts causing a magnet to quench, where the magnet
becomes normal conducting and has to be switched off before it destroys itself. Losing as little as
10−8 of the beam into the superconducting magnets will lead to a quench. A loss of 10−4 of the
beam into any part of the machine will cause damage, such as rupturing the machine vacuum,
which in the best case results in costly repairs and weeks of downtime, in a worse case the
destruction of one or more dipole magnets would mean many weeks of repairs to return the
machine to operation.
Due to the unprecedented sensitivity of the machine to beam losses, and the high cost of failure,
both financially and in terms of inefficiency, a complex Machine Protection System is envisaged,
surveilling and diagnosing the operation of the CERN high energy accelerators, ensuring their safe
operation.
Machine Protection Systems are employed in the LHC, SPS and beam transfer lines, protecting all
parts of the accelerator complex that handle beam above damage thresholds.
At the heart of each Machine Protection System lies a Beam Interlock System, connecting the
many components of the Machine Protection Systems which are located all around the accelerator
complex. The LHC is the ultimate application of these protection systems, here the Beam
Interlock System is responsible for relaying a command for controlled removal of the beam (Beam
Dump) to the LHC Beam Dumping System. The Beam Dumping System is the only part of the
accelerator that is capable of withstanding the impact of the full LHC beam without being
damaged in the process. The time response of the LHC Beam Interlock System has to be around
100µs, to protect against the fastest events which lead to beam losses. Each LHC Beam Interlock
System is made from sixteen Beam Interlock Controllers. These are distributed around the 27km
circumference of the machine, one at the left and one at the right of each Insertion Region, each
Controller acts as a local concentrator, monitoring up to 14 User System inputs. Fibre optic links
join the sixteen Controllers in so-called beam permit loops, making the high-speed, highly
dependable backbone of the Beam Interlock System.
This thesis is focussed on the conception, design and realisation of a generic Beam Interlock
System used to protect the high energy accelerators at CERN. The Beam Interlock System has
been designed to provide the LHC and its injector chain, as well as the SPS and its transfer lines,
including the CERN Neutrinos to Gran Sasso project, with an unsurpassed level of protection. In




vThis work has been carried out as part of the Doctoral Student Program at the







1.1 Physics, the State of the Art . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1.1 Questions at the Forefront of Physics . . . . . . . . . . . . . . . . . . . . . . . 4
1.1.2 Particle Accelerators, Past, Present and Future . . . . . . . . . . . . . . . . . 7
1.2 The European Organisation for Nuclear Research (CERN) . . . . . . . . . . . . . . . 8
1.2.1 The Large Hadron Collider (LHC) . . . . . . . . . . . . . . . . . . . . . . . . 9
1.2.2 LHC Experiments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
1.2.3 The CERN High Energy Accelerator Complex . . . . . . . . . . . . . . . . . 12
1.2.4 Investment in the LHC Project and its Experiments . . . . . . . . . . . . . . 15
2 Machine Protection Systems 17
2.1 LHC Stored Energy and Associated Risk . . . . . . . . . . . . . . . . . . . . . . . . . 17
2.1.1 Energy in the Powering Circuits . . . . . . . . . . . . . . . . . . . . . . . . . 18
2.1.2 Beam Energy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
2.1.3 Beam Damage Tests and Examples . . . . . . . . . . . . . . . . . . . . . . . . 19
2.2 Protecting the High Energy Accelerators . . . . . . . . . . . . . . . . . . . . . . . . . 20
2.3 Failure Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
2.4 Dependability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
2.4.1 Realising the Safety Specification . . . . . . . . . . . . . . . . . . . . . . . . . 27
2.4.2 Beam Interlock System Dependability Requirements . . . . . . . . . . . . . . 28
3 Beam Interlock System Introduction 31
3.1 Reaction Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
3.2 Beam-1, Beam-2 and Both-Beam Interlocking in the LHC . . . . . . . . . . . . . . . 33
3.3 Architecture of the LHC Beam Interlock System . . . . . . . . . . . . . . . . . . . . 33
3.3.1 Beam Permit Loops . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
3.3.2 Beam Interlock Controllers (BICs) . . . . . . . . . . . . . . . . . . . . . . . . 35
3.3.3 Expanding the Manager (CIBM) . . . . . . . . . . . . . . . . . . . . . . . . . 36
3.4 Connecting to the User Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
3.4.1 Making a Fail-Safe RS485 Link . . . . . . . . . . . . . . . . . . . . . . . . . . 37
3.4.2 BEAM PERMIT INFO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
3.4.3 Redundant USER PERMITs . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
3.4.4 The User Interface (CIBU) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
3.4.5 Accommodating Simultaneous and Independent LHC User Systems . . . . . 40
3.5 Meeting the Dependability Requirements . . . . . . . . . . . . . . . . . . . . . . . . 41
3.6 Supervision of the Beam Interlock System . . . . . . . . . . . . . . . . . . . . . . . . 41
4 Beam Interlock System Realisation 43
4.1 Communications Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
4.2 Beam Permit Loops . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
4.2.1 Ring-Closed and Tree-Open Permit Loop Summary . . . . . . . . . . . . . . 51
4.2.2 Beam Permit Loop Frequency . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
4.2.3 Optical Power Budget . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
vii
viii CONTENTS
4.2.4 Engineering the Optical Transceiver . . . . . . . . . . . . . . . . . . . . . . . 53
4.2.5 Transmission Characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
4.2.6 Bit Error Rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
4.2.7 Detection of BEAM PERMIT . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
4.2.8 Arming the Beam Permit Loop . . . . . . . . . . . . . . . . . . . . . . . . . . 61
4.2.9 Other Detectors for BEAM PERMIT . . . . . . . . . . . . . . . . . . . . . . 63
4.3 Beam Interlock Controllers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
4.3.1 LHC and SPS Chassis Types . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
4.3.2 USER PERMIT to LOCAL BEAM PERMIT . . . . . . . . . . . . . . . . . . 68
4.3.3 BEAM PERMIT to BEAM PERMIT INFO . . . . . . . . . . . . . . . . . . 69
4.3.4 TEST and MONITOR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
4.4 The Manager Board . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
4.4.1 Permits, Disabling & Permit Loop Signals . . . . . . . . . . . . . . . . . . . . 72
4.4.2 Masking and the Safe Beam Flag . . . . . . . . . . . . . . . . . . . . . . . . . 73
4.4.3 Latching and Arming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
4.4.4 Fail-Safe Programming of the Critical Signals . . . . . . . . . . . . . . . . . . 74
4.4.5 Matrix CPLDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
4.4.6 Monitor FPGA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
4.4.7 Manager Display (CIBMD) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
4.5 Test & Monitor Board (CIBT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
4.5.1 Manchester Encoded Frame Format in the Beam Interlock System . . . . . . 88
4.5.2 BEAM PERMIT INFO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
4.5.3 Serial Communications FPGA . . . . . . . . . . . . . . . . . . . . . . . . . . 90
4.5.4 TEST Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
4.5.5 MONITOR Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
4.5.6 Display Driver FPGA and Test and Monitor Display (CIBTD) . . . . . . . . 91
4.6 The Interface to the User Systems (CIBU) . . . . . . . . . . . . . . . . . . . . . . . . 93
4.6.1 USER PERMIT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
4.6.2 BEAM PERMIT INFO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
4.6.3 TEST and MONITOR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
4.6.4 Implementing the TEST and MONITOR Links . . . . . . . . . . . . . . . . . 96
4.6.5 Single and Double User Interfaces (CIBUS and CIBUD) . . . . . . . . . . . . 98
4.6.6 Fibre Optic Extension of the Controller to User Link (CIBFx) . . . . . . . . 99
4.7 Electrical Analysis of the System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
4.7.1 Different Types of Link in the Beam Interlock System . . . . . . . . . . . . . 101
4.7.2 General Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
4.7.3 Signal Integrity Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
4.7.4 System Level Electro-Magnetic Compatibility Analysis . . . . . . . . . . . . . 106
4.8 Failure Modes, Effects and Criticality Analysis . . . . . . . . . . . . . . . . . . . . . 109
4.8.1 Procedure for Performing a FMECA . . . . . . . . . . . . . . . . . . . . . . . 109
4.8.2 Results of the BIS FMECA . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
4.9 Testing, Commissioning and System Diagnosis . . . . . . . . . . . . . . . . . . . . . 113
4.9.1 Controller Testing, Commissioning and Diagnosis . . . . . . . . . . . . . . . . 113
4.9.2 System Testing, Commissioning and Diagnosis . . . . . . . . . . . . . . . . . 116
4.9.3 Inter-System Testing, Commissioning and Diagnosis . . . . . . . . . . . . . . 116
4.10 Software and Supervision . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
4.10.1 Operator Screens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
4.10.2 Specialist Screens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
5 Proof of Concept and First Experience 127
5.1 Prototype Testing Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
5.2 Interlocking the SPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
5.2.1 Software Supervision of the SPS . . . . . . . . . . . . . . . . . . . . . . . . . 133
5.2.2 Software Interlocks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
5.3 Interlocking the CNGS Extraction . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
5.3.1 Extraction Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
5.3.2 Current-Change Interlocking for CNGS . . . . . . . . . . . . . . . . . . . . . 139
5.3.3 Software Supervision of the CNGS Extraction . . . . . . . . . . . . . . . . . . 140
5.3.4 The VME Chassis in SPS BA4 . . . . . . . . . . . . . . . . . . . . . . . . . . 141
5.4 Scaling to the LHC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
CONTENTS ix
5.4.1 LHC Beam Interlock System Response Time . . . . . . . . . . . . . . . . . . 142
5.4.2 Final Improvements to the System . . . . . . . . . . . . . . . . . . . . . . . . 142
6 Conclusions 149
Appendices 151
A RS485 versus Current Loop Technology 151
A.1 Current Loop Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
A.2 Optocoupled RS485 Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
A.3 RS485 Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
B Testing a CERN Standard NE12 Cable 157
C LHC Beam Interlock System User’s List 159
D TEST and MONITOR Data in the BIS 161
D.1 History Buffer Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
D.2 MONITOR Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
D.3 TEST data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
E Socket and Connector Coding 169
F Electro-Magnetic Compatibility Analysis 171
F.1 Cables from User System to User Interface . . . . . . . . . . . . . . . . . . . . . . . . 171
F.2 Cables from User Interface to Controller . . . . . . . . . . . . . . . . . . . . . . . . . 173
F.3 Power Supply Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
G Signal Integrity Analysis 175
G.1 Electrical Length Calculation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
G.2 Type-1 Signal Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
G.2.1 USER PERMIT from User System to CIBU . . . . . . . . . . . . . . . . . . . 176
G.2.2 BEAM PERMIT INFO from CIBU to User System . . . . . . . . . . . . . . 176
G.3 Type-2 Signal Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
G.3.1 Differential Signals between CIBU and BIC . . . . . . . . . . . . . . . . . . . 177
G.4 Type-3 Signal Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
G.5 Type-4 Signal Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
G.6 Type-5 Signal Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
G.6.1 Worst Case Type-5 Link . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
G.6.2 Special Case Type-5 Link . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
H Failure Modes, Effects and Criticality Analysis 181
H.1 Double User Interface (CIBUD) Example . . . . . . . . . . . . . . . . . . . . . . . . 181
I BEAM PERMIT INFO in the Test & Monitor Board 199
J Schematic Examples 203
K PCB Examples 215
L VHDL Examples 219
L.1 Manchester Encoder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
L.2 Manchester Decoder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
M Display Boards 229
N Photographs of Components 231
N.1 CIBM Manager & CIBT Test and Monitor Boards . . . . . . . . . . . . . . . . . . . 231
N.2 CIBMD Manager Display & CIBTD Test and Monitor Display Boards . . . . . . . . 233
N.3 CIBO Optical Transceiver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
N.4 CIBP Patch Panels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
N.5 CIBE Extender Boards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
N.6 CIBU User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
x CONTENTS
N.7 CIBD DC Power Supply . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
N.8 TT40 Installation Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
O Assembling the Rear Section of a VME Chassis 241
List of Figures 243
List of Tables 249
Bibliography 251
Glossary of Terms, Acronyms and Abbreviations 259
Index 265
Acknowledgements
Two and a half years hard work and here we are, finally a thesis! This may only have one name as
the principle author, but there are many who have contributed to my work in some way or
another, I don’t think a single page can express just how much I owe to others for their help, but
i’ll try!
There are three people who have been absolutely fundamental to this thesis. First and foremost I
want to thank Ru¨diger Schmidt for his excellent work, both as co-inventor of the LHC Machine
Protection System and as PhD student supervisor. Secondly I’d like to thank Bruno Puccio as
leader of the Machine Interlock Section, thanks for taking a chance on a student for the design of
the Beam Interlock System. Thirdly Cinzia Da Via, of Brunel University, for taking on and
sponsoring a student that she’d never worked with before and accommodating my thesis as part of
Brunel’s portfolio at a moments notice.
I also want to thank Arni Dinius, who has always been there with bright ideas, ready to spend an
afternoon debating the finer points of the design. Philippe Nouchi for the Manager board, and his
help with the VHDL. Markus Zerlauth, a voice of reason who’s been more help to me than he
probably gives himself credit for, and Matthias Werner, who has given me outstanding help
looking over schematics and polishing designs. Thanks to the rest of the Machine Interlocks
section who have given me an excellent environment to write my thesis, without you guys it’d be a
dull existence.
Thanks to Jan Uythoven, Roberto Filippini and Gianluca Guaglio who showed me the basics of
reliability theory, giving me an open and un-supposing forum in which to discuss the dependability
aspects of the design.
There are others whom i’d like to thank; Gary Beetham, who took a risk employing a technical
student many years ago and Jean-Bernard Ribes who supervised that student, without you guys
i’d not be here now. Also Pablo Alvarez Sanchez who introduced me to the world of VHDL and
has been a sounding board for ideas since long before the beginning of this project.
Amongst those who have guided and moulded me academically over the years, there are two who
deserve much credit. John Wheeler of Sunderland University, who taught me the skills of
engineering and professionalism, and John Curry of Durham School, who taught me to be a
scientist before being an engineer.
Of course, the academic influence is one thing, but to finish a thesis like this you need a solid
group of close friends who understand what it takes. My deepest thanks to S˜a´rka who has put-up
with me over the last year or two and who has helped wherever she could to make my life a little
bit easier, cheers to Shorty for being there the last few weeks and thanks to Big-Ben for the words
of support and for letting me keep the smartest appartment in Geneva.
Finally I come to the few people who have been with me since the beginning. I don’t need to write
much for them to know how much I appreciate their help. Mum, we finally did it! I’m proud of
you. John, cheers fella for being there when it mattered and Amy, the coolest little sister in the





The Large Hadron Collider (LHC) at CERN (The European Organisation for Nuclear Research) is
one of the largest and most complicated machines envisaged to date. The LHC has been conceived
and designed over the course of the last 25 years and represents the cutting edge of accelerator
technology with a collision energy of 14TeV, having a stored beam energy over 100 times more
powerful than the nearest competitor. Commissioning of the machine is already underway and
operation with beam is intended for Autumn 2007, with 7TeV operation expected in 2008. The
LHC is set to answer some of the fundamental questions in theoretical physics, colliding particles
with such high energy that the inner workings of the quantum world can be revealed.
Colliding particles together at such high energy makes very high demands on machine operation
and protection. The specified beam energy requires strong magnetic fields that are made in
superconducting dipole magnets, these magnets are kept only around two degrees above absolute
zero and there is a high chance of particle impacts causing a magnet to quench, where the magnet
becomes normal conducting and has to be switched off before it destroys itself. Losing as little as
10−8 of the beam into the superconducting magnets will lead to a quench. A loss of 10−4 of the
beam into any part of the machine will cause damage, such as rupturing the machine vacuum,
which in the best case results in costly repairs and weeks of downtime, in a worse case the
destruction of one or more dipole magnets would mean many weeks of repairs to return the
machine to operation.
Due to the unprecedented sensitivity of the machine to beam losses, and the high cost of failure,
both financially and in terms of inefficiency, a complex Machine Protection System is envisaged,
surveilling and diagnosing the operation of the CERN high energy accelerators, ensuring their safe
operation.
Machine Protection Systems are employed in the LHC, SPS and beam transfer lines, protecting all
parts of the accelerator complex that handle beam above damage thresholds.
At the heart of each Machine Protection System lies a Beam Interlock System, connecting the
many components of the Machine Protection Systems which are located all around the accelerator
complex. The LHC is the ultimate application of these protection systems, here the Beam
Interlock System is responsible for relaying a command for controlled removal of the beam (Beam
Dump) to the LHC Beam Dumping System. The Beam Dumping System is the only part of the
accelerator that is capable of withstanding the impact of the full LHC beam without being
damaged in the process. The time response of the LHC Beam Interlock System has to be around
100µs, to protect against the fastest events which lead to beam losses. Each LHC Beam Interlock
System is made from sixteen Beam Interlock Controllers. These are distributed around the 27km
circumference of the machine, one at the left and one at the right of each Insertion Region, each
Controller acts as a local concentrator, monitoring up to 14 User System inputs. Fibre optic links
join the sixteen Controllers in so-called beam permit loops, making the high-speed, highly
dependable backbone of the Beam Interlock System.
This thesis is focussed on the conception, design and realisation of a generic Beam Interlock
System used to protect the high energy accelerators at CERN. The Beam Interlock System has
been designed to provide the LHC and its injector chain, as well as the SPS and its transfer lines,
including the CERN Neutrinos to Gran Sasso project, with an unsurpassed level of protection. In
1
2 CHAPTER 1. INTRODUCTION
every application the stored beam energy is orders of magnitude above the damage thresholds of
the machines.
The first chapter outlines the CERN high energy accelerator complex including the LHC machine.
The fundamental motivations for the LHC are discussed, along with the key questions that remain
to be answered to broaden the understanding of the physical world. The ultimate aim of the
Machine Protection Systems is briefly discussed, with the key trade off being protection of the
machine versus permitting operation with destructive beam circulating in the machines.
The second chapter, marking the beginning of the work undertaken by the author, describes the
role of the Beam Interlock System in the context of the Machine Protection System, describing the
failure mechanisms that can lead to unstable situations and ultimately beam losses. The critical
operation path of the Beam Loss Monitor System to Beam Interlock System and LHC Beam
Dumping System is also described, showing the fundamental apportionment that has been used to
qualify the system’s safety, the concept of Safe Machine Parameters is also introduced, giving
flexibility in the operation of the machine during commissioning and at lower energies.
Chapter three presents an overview of the Beam Interlock System, briefly describing the basic
components and architecture, the concept of the Safe Beam Flag is described in the context of the
Beam Interlock System and complex interlocking criteria that use a Software Interlock channel are
also explained. The criteria for operation, supervision and good-as-new testing is also laid
out.
The fourth chapter describes the design and realisation of the Beam Interlock System in detail, the
beam permit loops, Beam Interlock Controllers and User Interface devices are explained.
Electro-Magnetic Compatibility, RS485 and signal integrity issues are all presented and described.
The thesis continues by presenting the results of dependability calculations based on manufacturer
data and military handbooks, showing the expected failure rates and failure modes of the Beam
Interlock System. Software and the test-monitor process is described, as the Beam Interlock
System is a first point of call for event analysis after a beam dump (Post Mortem). Differences to
accommodate the different applications of the Machine Protection System are presented, such as
those found in the extraction, injection and the SPS ring systems.
The fifth chapter describes the operation of the Beam Interlock System in two environments prior
to its final deployment in the LHC, the first is the SPS ring, where a small LHC type system has
been implemented since SPS startup in 2006, the second is the CNGS extraction where the system
has been tested and proven. Operational issues relating to these two applications are also
presented, leading to chapter six where conclusions are drawn regarding the design and
implementation of the Beam Interlock System.
The Beam Interlock System stands apart from other comparable electronic protection systems in
several aspects. The LHC is the first accelerator to have a Machine Protection System with a
defined dependability and the Beam Interlock System is the first of its type to have a dependability
specification. One must also consider that the testing, monitoring and aspects such as the Safe
Beam Flag are novel inventions setting the Beam Interlock System apart from others.
The author has been the lead-engineer in the design and realisation of the Beam Interlock System
to meet the strenuous requirements both in terms of safety and function. The author has being
involved in the project at every level and has been responsible for several key elements of the
system such as the built-in testing, monitoring and realising the safety constraints.
Readers can get a quick overview of the Beam Interlock System by consulting just a few sections of
this thesis. Looking through Chapter 3 and Appendix N reveals the basic architecture, operation
and gives an impression of what each part of the system represents in reality. Chapter 5 gives an
outline of the system operation, and proof of its function in a real application.
1.1. PHYSICS, THE STATE OF THE ART 3
1.1 Physics, the State of the Art
In 1917 Rutherford used alpha radiation to determine that the mass of a particle is concentrated
in a small central area called the nucleus, having smaller negatively charged electrons in a much
larger area around it [1, 1910], this irreversibly changed the understanding of the period, in stark
contrast to Thompson’s “pudding model” that had been accepted as valid since around 1900.
Almost one hundred years have passed and Rutherford’s model has been proven to be well
founded, the nucleus he described has been shown to be made of positively charged protons and
neutral neutrons, which they themselves have been shown to be composites of quarks.
Figure 1.1: Sub-Atomic Structure [2]
Understanding rapidly progressed in the first half of the 20th century, culminating in the
conception of the Standard Model. This describes the quantum world as a function of four
fundamental interactions of twelve basic particles and their antiparticles. The Standard Model is
known to be flawed however, for example it makes no effort to describe gravity at the quantum
level, after all, gravity is such a weak force, it’s effects at this scale are almost negligible.
Figure 1.2: Particles of the Standard Model
The four fundamental interactions of the Standard Model are:
• Electro-Magnetism is the attraction of positive charge to negative charge, it’s carrier is
the photon
• The Strong Interaction is the mechanism which enables positively charged protons to
remain in such close proximity within the nucleus when the electro-magnetic force is
attempting to separate them. The charge carrier of the strong interaction is the gluon
• The Weak Interaction governs nuclear decay, the W and Z bosons are the charge-carriers
of the weak interaction.
• Gravity is perhaps the most fundamental interaction, it is hypothesised that the graviton is
the force carrier of gravity.
4 CHAPTER 1. INTRODUCTION
Experiments have proven the Standard Model to be accurate, the Wand Z bosons were discovered
in SPS and their characteristics measured in the Large Electron Positron collider (LEP) at CERN:
their masses aligned almost perfectly with those expected.
However, certain aspects of the Standard Model have still not been ratified experimentally, neither
the graviton, nor the Higgs boson (introduced to account for mass) have ever been witnessed in
experiments to date. One then has to ask what the exact limitations of the Standard Model are,
and what’s next? Can quarks themselves be described as composites of more fundamental
particles? Indeed, can all the forces be described using a single theory, and more importantly, can
we verify this theory experimentally?
To begin to answer these types of questions, one needs to delve deep into the nature of matter,
examining its composition at a very low level. Particle accelerators are the microscopes at this
quantum scale, of which the LHC will be the most powerful ever constructed.
1.1.1 Questions at the Forefront of Physics
The LHC and its experiments are designed to provide clues to the answers of basic questions in
theoretical physics. The high energy of the LHC collider will test the limits of the Standard
Model, and will provide solid experimental data to help physicists in their search for a more
complete understanding.
Mass and the Higgs Boson
Some may argue that the most important question to be answered in modern physics relates to the
possible existence of the Higgs boson. This force carrier is so fundamental that proving its
existence would clarify a large section of hypothetical thinking. The Higgs boson was first
proposed in a paper by Peter Higgs at Edinburgh University in 1964 [3].
Higgs proposed that the whole of space is permeated
Figure 1.3: CMS Higgs Decay [4]
by a field, particles moving through this field
interact and acquire mass, the larger the interaction,
the more mass the particles appear to have.
The Higgs boson is a particle of this Higgs field, just
as photons are particles of the electromagnetic field,
it forms a cornerstone of the Standard Model and yet
has not been experimentally observed to date. Finding
the Higgs boson would explain whether this hypothesis
for the generation of mass is correct [5].
The Standard Model does not make an exact
prediction of the Higgs boson mass, it does give a likely
range for it to lie within, experiments in the Large
Electron Positron collider in 2000 could be interpreted
as showing some evidence of the Higgs at around
104GeV, but the results were ultimately inconclusive.
The predicted mass of the Higgs is well within the range which can be searched by the LHC.
Charge Parity Violation
Another important question in theoretical physics concerns the origins of Charge Parity (CP)
violation. CP is the product of two symmetries, charge conjugation and parity. Charge
conjugation is a simple symmetry between particles and anti-particles, and CP is represents an
equivalent simple symmetry between matter and anti-matter. The strong interaction and
electromagnetic interaction obey CP-symmetry, but certain types of weak interaction do not,
exhibiting a so called CP-violation.
1.1. PHYSICS, THE STATE OF THE ART 5
Particle Particle Anti ParticleSymbol Symbol
Charged Kaon K+ K−







Table 1.1: The K-Mesons / Kaons
The first observations of CP-violation were in Kaon systems, Kaons are a sub-set of mesons, which
are particles made of a single quark and antiquark. Kaons can spontaneously transform into their
anti-particles and in a symmetric world the Kaon and anti-Kaon would be equally observed.
Experiments in 1964 by Cronin and Fitch showed that the Kaons’ existence is unevenly split
between the two states, this experimental breakthrough was rewarded with a Nobel Prize in 1980.
For a long time CP-violation was only observed in Kaons, but more recently the BaBar experiment
at SLAC and Belle Experiment at KEK have shown that B-mesons also clearly exhibit
CP-violation [6].
So why is it that only the weak interaction has a CP-violation? Interestingly the Standard Model
implies that the Big Bang should have produced equal amounts of matter and anti-matter, which
it didn’t. CP-violation provides an explanation for this asymmetry, and leads to another
important observation of the physical world: dark matter.
Dark Matter
The first indication of dark matter came more than 70 years ago from observations on galaxies and
on clusters of galaxies. Close inspection showed that the speeds at which galaxies moved within a
cluster was very different from what would be expected if visible matter were all that was needed
to hold the cluster together. Later, the phenomenon was confirmed through studies of the rotation
of spiral galaxies. The results suggested that the spiral galaxies must be embedded in an invisible
spherical halo of dark matter. Cosmologists and particle physicists have begun to move towards
the same conclusion: dark matter must be made of things that are massive but undetectable, the
so-called Weakly Interacting Massive Particles (WIMPs). So do WIMPs exist and is CP-violation
somehow involved in dark matter’s origins?
The LHC is expected to examine these questions, the LHC-b experiment in particular is designed
to investigate CP-violation and rare decays of B-mesons, giving valuable experimental data to use
as baselines for models of CP-violation.
String Theory, Supersymmetry and Superstring Theory
Since the Standard Model is known to be flawed, numerous other theories have emerged to try and
improve it. String theory is a model of quantum physics which describes particles as small single
dimension strings rather than point charges. These strings are tiny, on the Planck length scale
(around 10−35m), and resonate at different frequencies representing different particles. Strings can
be open with two ends, or closed like a ring. The original string theory is now called ‘Bosonic
String Theory’ as it could only account for bosons (force carriers), and not fermions (matter).
Twenty-two extra dimensions and a particle having imaginary mass called the Tachyon had to be
invented to make the theory mathematically plausible. Enhancing string theory to account for
fermions led to hypothesis of supersymmetry (SUSY) which suggests that there are so-called
super-partner particles for every boson and fermion of the standard model.
6 CHAPTER 1. INTRODUCTION
Particle Symbol(s) Superpartner SuperpartnerSymbol(s)
leptons , µ, τ sleptons ˜, µ˜, τ˜
neutrinos v, vµ, vτ sneutrinos v˜, v˜µ, v˜τ
quarks u, c, t, d, s, b squarks u˜, c˜, t˜, d˜, s˜, b˜
photon γ photino γ˜
W boson W± Wino W˜±
Z boson Z0 Zino Z˜0
gluons g gluino g˜
graviton G gravino G˜
higgs boson h higgsino h˜
Table 1.2: Standard Model Particles and their Superpartners
String theory that includes SUSY is referred to as ‘superstring theory’ however no direct evidence
of any superpartner has been found as of yet, despite the successfully application of SUSY to many
other areas physics from the quantum to celestial scales. The LHC collision energy should be
sufficient to reveal some of the supersymmetrical partners, if they do exist.
There are five popular superstring theories, six if the original ‘Bosonic String Theory’ is
included.
Theory Dimensions String Types SUSY? Tachyon? Bosons? Fermions?
Bosonic 26 open and closed No Yes Yes No
I 10 open and closed Yes No Yes Yes
IIA 10 bound-open and closed Yes No Yes Yes
IIB 10 bound-open and closed Yes No Yes Yes
HO 10 closed Yes No Yes Yes
HE 10 closed Yes No Yes Yes
Table 1.3: Bosonic String and Superstring Theories
Some of the models suggest the existence of WIMPs, corresponding to the investigations into dark
matter [7] [8], the LHC will break new ground in the exploration for any evidence that supports or
contradicts these theories.
Theory of Everything
Maxwell described electrical and magnetic forces as a single electromagnetic theory 1864, this
theory was later expanded to include the weak force by Glashow, Salam and Weinburg leading to
electroweak theory in 1968. It is hypothesised that the electroweak and strong forces are
manifestations of the same force at extremely high energies, leading many to believe that these two
theories could be unified to create a single Grand Unified Theory (GUT), the Standard Model does
just that, but it’s known to be flawed as it cannot explain gravity. If gravity could also be
accommodated in the context of a Grand Unified Theory, then everything would be explained in a
single theory. A complete Theory of Everything (TOE).
So, questions remain, is superstring theory a step in the right direction towards a Theory of
Everything? Some would argue so, especially as Witten in the 1990s showed that the five different
types of Superstring theory could all be regarded as different aspects of a single M-Theory, could
this be the basis of a Theory of Everything?
1.1. PHYSICS, THE STATE OF THE ART 7
Figure 1.4: Unification of the Forces [2]
The LHC will explore the limits of the standard model, searching regions for evidence to ratify
these theories.
1.1.2 Particle Accelerators, Past, Present and Future
The LHC is one of over 17000 particle accelerators in the world today, around half of these are
used for medical purposes, and only a handful are for fundamental research [9]. The LHC
represents the cutting edge of accelerator physics, it will be the world’s leading proton-proton
accelerator for possibly decades to come.
Hadron accelerators like the LHC are primarily used to look for new particles and observations,
electron accelerators are then used to carry out a detailed investigation at precise energies once
observations have been made in a hadron collider. Accelerators, whether proton or electron, are
expensive to design, realise and operate, only large organisations like CERN have the capability to
build and operate the largest accelerators. To put the energy of the LHC in perspective consider
Table 1.4, comparing the LHC design energy to past, present and future colliders.
Name Type Collision Energy Location Status[TeV]
SLC e+e− 0.1 Stanford, USA
Past
[10]
LEP-I e+e− 0.1 CERN [11]
LEP-II e+e− 0.2 CERN [11]
KEKB e+e− 0.008 + 0.0035 Tsukuba, Japan
Present
[12]
PEP-II e+e− 0.009 + 0.0031 Stanford, USA [13]
HERA e±p 0.028 + 0.92 DESY, Hamburg [14]
TEVATRON pp¯ 2.0 FermiLab, USA [15]
LHC pp 14.0 CERN Future [16]
ILC e+e− 0.5 to 1.0 T.B.C.
Hypothetical
[17]
CLIC e+e− 2.0 to 10.0 CERN [18]
LHC-II pp 25.0 CERN [16]
VLHC-I pp 40.0 FermiLab, USA [19]
VLHC-II pp 175.0 FermiLab, USA [19]
Table 1.4: Past, Present, Future and Hypothetical Colliders [20]
CERN is one of many particle physics laboratories throughout the world, the LHC was chosen to
be built at CERN as a natural progression following the decommissioning and dismantling of
LEP.
8 CHAPTER 1. INTRODUCTION
1.2 The European Organisation for Nuclear Research
(CERN)
The name CERN is derived from the French “Conseil Europe´en pour la Recherche Nucle´aire”, or
European Council for Nuclear Research, a provisional body founded in 1951 with the mandate of
establishing a world-class fundamental physics research organization in Europe. When the
organization officially came into being in 1954 the new organization was given the title European
Organization for Nuclear Research, although the name CERN was retained. CERN was one of
Europe’s first joint ventures, presently it includes 20 member states. The evolution of CERN from
a notion in 1949, to host of the LHC in 2007 is shown in the Table 1.5.
Year Key Events
1949 Louis de Broglie suggests CERN be created
1954 CERN officially comes into being
1957 600MeV Synchrocyclotron commissioned
1959 28GeV Proton Synchrotron (PS) commissioned
1963 Bubble Chambers give first evidence of neutrino interactions
1965 CERN extends into France to build the Intersecting Storage Rings (ISR)
1967 ISOLDE commissioned
Gargamella Bubble Chamber agreed
1968 Multi-Wire Chambers tested in PS Beam-Line
1971 ISR commissioned
Super Proton Synchrotron (SPS) project approved
1972 800MeV Booster added to the PS Injector
1973 Neutral Currents discovery ratified
1976 SPS commissioned
1978 LINAC added to PS Injector
Stochastic Cooling demonstrated
pp¯ proposed for the SPS
SPS reaches 500GeV
1981 pp¯ collisions in SPS at 270GeV
Large Electron Positron collider (LEP) approved
Research into a superconducting proton-proton collider (LHC) starts
1983 W and Z Bosons discovered at SPS
LEP construction begins
1984 Nobel Prize awarded to C. Rubbia and S van der Meer for W and Z
1989 LEP commissioned
1990 T. Berners-Lee proposes the World Wide Web (www)
1991 LHC proposed to CERN council
1992 Nobel Prize awarded to G. Charpak for Multi-Wire Chambers
1994 LHC approved by CERN council
1995 anti-matter created from anti-particles
1996 LEP energy increased (LEP-II)
2000 LEP decommissioned to make way for LHC
2001 Charge-Parity (CP) Violation results verified
2005 LHC tunnel receives first LHC dipole
2006 CERN Neutrinos to Gran Sasso Project (CNGS) begins
2007 SPS to LHC Transfer Lines commissioning scheduled to start
LHC Commissioning and operation scheduled
Table 1.5: A Brief History of CERN [21]
The word nuclear gives an impression which is misleading. The organisation’s founding charter
makes it clear that CERN is devoted to pure science, open for everyone.
“The Organization shall provide for collaboration among European States in nuclear
research of a pure scientific and fundamental character, and in research essentially
related thereto. The Organization shall have no concern with work for military
requirements and the results of its experimental and theoretical work shall be published
or otherwise made generally available.” [22]
1.2. THE EUROPEAN ORGANISATION FOR NUCLEAR RESEARCH (CERN) 9
1.2.1 The Large Hadron Collider (LHC)
CERN’s latest challenge is the construction of the Large Hadron Collider (LHC). This machine
will take physics into a new era, exploring what lies beyond the Standard Model. The LHC will be
the world’s most powerful particle accelerator. It will collide protons at a combined energy of
14TeV, giving access to physics at an energy scale far higher than has been explored so far.
Figure 1.5: The 27km LHC Accelerator with SPS [Not to Scale] [23]
The LHC is the most complex scientific instrument ever constructed, it uses 1232 superconducting
dipole magnets with niobium-titanium coils. The superconducting magnets are maintained at only
1.9 degrees above absolute zero (about -271◦C) and are cooled by super-fluid helium. A major
feature of the LHC dipoles is their two-in-one design, providing opposite magnetic fields for the
two beams travelling around the machine in opposite directions within a single structure. The
27km accelerator also over one hundred normal conducting magnets, used to focus the beams and
fine-tune orbits, in addition to the superconducting dipoles.
10 CHAPTER 1. INTRODUCTION
Figure 1.6: LHC Dipole Magnet Installed in the Machine [24]
The LHC is a considerable investment and a long-term project, it began over 25 years ago, and is
expected to be operational for around 20 years. The LHC is designed to produce billions of
proton-proton collisions per second. Making it not only a machine for frontier physics, but also for
frontier technologies.
1.2.2 LHC Experiments
The LHC has four main experiments, each is a series of detectors surrounding a collision point,
measuring the energies and trajectories of the emerging particles at four beam crossings in the
machine.
1. ATLAS - A Toroidal LHC ApparatuS
2. CMS - Compact Muon Solenoid
3. ALICE - A Large Ion Collider Experiment
4. LHCb - LHC beauty
Two detectors called ATLAS and CMS have been designed by a collaboration of around 2000
researchers from around the world. These detectors are specifically designed to search for Higgs
bosons and evidence of supersymmetry.
1.2. THE EUROPEAN ORGANISATION FOR NUCLEAR RESEARCH (CERN) 11
Figure 1.7: The ATLAS Experiment [25]
Figure 1.8: The CMS Experiment [26]
Two other detectors, ALICE and LHCb are also under construction. ALICE will study matter as
it was in the first instants of the Universe, by observing ion collisions. LHCb will search for
evidence that address the matter-antimatter imbalance.
Figure 1.9: The ALICE Experiment [27] Figure 1.10: The LHC-b Detector [28]
Each collision gives rise to a spray of new particles such as those shown in Figure 1.11, simulated
in the ATLAS detector. This pattern shows what the detector would see if a Higgs boson was
produced. The various layers of the detector measure different particle properties, building up a
complete picture of each collision. In each collision between 100 and 1000 particles emerge and
there can be up to six hundred million collisions per second in each detector. Trigger electronics
select the interesting collisions, even after rigorous selection the volume of data recorded by each
experiment would fill 100,000 DVDs every year.
Figure 1.11: Simulation of Higgs boson decay in ATLAS [29]
12 CHAPTER 1. INTRODUCTION
1.2.3 The CERN High Energy Accelerator Complex
CERN was chosen as the site for the LHC for many reasons, perhaps the most motivating was that
the pre-injector complex and civil works required for the LHC already existed, as they had been
used during the LEP era.
Figure 1.12: CERN Accelerator Complex, Dimensions and Operational Year Marked [30]
A five accelerator path is used to get protons into the LHC:
LINAC2 → Booster → PS → SPS → LHC
For ions, the path is almost the same
LINAC3 → Leir → PS → SPS → LHC
This complex has been enhanced and upgraded over many years, the Proton Synchrotron (PS) was
one of the first accelerators commissioned at CERN, and almost fifty years later is still working
with very high efficiency. PS accelerate protons to 28GeV, from here they are passed to the SPS
where they are accelerated to 450GeV, finally they are transferred to LHC, where acceleration will
bring protons to an energy of 7TeV. The magnetic cycle of the LHC is shown in Figure 1.13 on the
next page, where the magnetic field is ramped up in a few minutes, accelerating the protons to
their final energy, which is maintained for several hours during collisions.
1.2. THE EUROPEAN ORGANISATION FOR NUCLEAR RESEARCH (CERN) 13
Figure 1.13: Nominal LHC Magnetic Cycle - adapted from [31]
The CERN high energy accelerators are considered as SPS and LHC, their stored beam
energy far surpasses the damage levels for the machines themselves. These are the machines that
fall under the auspices of the Machine Protection System and associated Beam Interlock Systems,
ensuring their operation is carried out in a dependable manner.
The Super Proton Synchrotron (SPS)
The SPS was originally a 7km proton accelerator, in the late 70’s and early 80’s it was used as a
proton - antiproton collider, revealing the W and Z bosons, which eventually resulted in the Nobel
Prize being awarded to Simon van der Meer and Carlo Rubbia. SPS is currently a proton or ion
accelerator, it’s been fitted with two transfer lines, TI2 and TI8 for the two LHC beams.
Figure 1.14: The SPS, shown with LHC transfer lines TI2 and TI8 [32]
CERN Neutrinos to Gran Sasso (CNGS)
Neutrino oscillation, where one type of neutrino becomes another, was first detected by
Super-Kamiokande, Japan, in 1998. Neutrinos must have mass to oscillate, their tiny mass gives
clues towards the expansion of the Standard Model. A number of laboratories have begun
programs designed to investigate neutrino oscillation, CERN included. One of the LHC transfer
lines can be used to send a beam of neutrinos 730km through the Earth to purpose-built targets in
the Gran Sasso underground laboratory, Italy.
14 CHAPTER 1. INTRODUCTION
Figure 1.15: Neutrinos Sent from CERN, Switzerland to Gran Sasso, Italy [33]
SPS extraction regions must therefore accommodate numerous types of beam, switching quickly
between one type and another. The SPS is a cycling machine, designed to toggle between different
operation modes following a preprogrammed sequence. For example, SPS may operate for several
cycles delivering LHC beam, only to be followed by some CNGS cycles, then returning to LHC
beam operation.
Derivation of the signals to allow beam transfer is made somewhat complex by the cycling nature
of the SPS machine. Extraction interlocking must take into account ‘soft’ information such as
beam type and destination, as well as ‘hard’ interlocks.
Figure 1.16: SPS is the Source of Neutrinos for the CNGS Experiment [34]
1.2. THE EUROPEAN ORGANISATION FOR NUCLEAR RESEARCH (CERN) 15
Protecting the CERN High Energy Accelerator Chain
Seven elements of the CERN complex require safe and reliable Machine Protection Systems
(MPS):
1. SPS Ring
2. SPS Extraction at SPS Point 4
3. SPS Extraction at SPS Point 6
4. LHC Injection at LHC Point 2
5. LHC Injection at LHC Point 8
6. LHC Ring 1 (for beam one)
7. LHC Ring 2 (for beam two)
The LHC is used as the baseline for the Machine Protection Systems, it has the most strenuous
requirements for time response and safety, with the heaviest consequences in case of failure.
1.2.4 Investment in the LHC Project and its Experiments
The LHC and its detectors are all very complex systems, requiring a substantial investment. To
put the cost of the LHC machine protection system into perspective, one has to understand the
investment at risk if things go wrong. The simplest way to envisage this is to consider the cost of
each of the projects:
Project Cost[MChf]







Table 1.6: The Cost of CNGS, LHC and its Experiments
These figures are only material costs, running of the accelerator complex, LHC machine and
experiments raises the overall investment to some 10 billion francs. The primary role of the
Machine Protection System is to protect the LHC, its experiments and injector chain against
damage from stored energies, whilst simultaneously giving physicists the time they require to run
their experiments fruitfully.
16 CHAPTER 1. INTRODUCTION
Chapter 2
Machine Protection Systems
The LHC machine and its injector chain have a Machine Protection System (MPS) designed to
detect faults, failures and potentially dangerous situations, reacting in time to protect the machine
from damage.
2.1 LHC Stored Energy and Associated Risk
To compare how the LHC differs from other accelerators, consider Figure 2.1 showing the energy
stored in each of the machines. The axes are on a logarithmic scale, clearly the energy in the LHC
is orders of magnitude higher than that of others.
Figure 2.1: Stored Energy of the LHC and other Accelerators [41]
This energy is stored in two key areas:
1. The powering circuits (electrical and magnetic energy)
2. The circulating beam
The Machine Protection System is responsible for protection of the machine against the dangers of
an uncontrolled release of this energy. The Quench Protection System (QPS) and Powering
Interlock Controllers (PIC) safeguard the machine from the energy stored in the powering circuits,
whereas the Beam Interlock System (BIS) protects the machine from the dangers related to the
energy of the beam.
17
18 CHAPTER 2. MACHINE PROTECTION SYSTEMS
2.1.1 Energy in the Powering Circuits
The energy, E, stored in a dipole magnet can be calculated using the magnet current, I, and
inductance, L:
E = 0.5× L× I2 (2.1)
At full current of around 13kA, this gives a stored energy of 7.5MJ per dipole magnet of which
there are 1232 in the LHC Machine, giving a total stored energy of 10GJ, enough energy to heat
and melt more than ten tonnes of copper from room temperature.
The LHC is split into powering subsectors reducing the energy stored in each electrical circuit by
an order of magnitude, to levels similar to other accelerators, this also has the advantage that the
powering system can be made available progressively, allowing for a staged commissioning.
2.1.2 Beam Energy
The LHC is filled with beam from the SPS at the injection energy of 450GeV, adding the two
beam intensities to Figure 1.13 on page 13 gives Figure 2.2.
Figure 2.2: Beam Intensity and Main Dipole Current in an LHC Cycle
Each LHC beam consists of 2808 bunches of 1.15× 1011 protons. Twelve successive beam
injections from SPS, each consisting of 216 or 288 LHC bunches, are needed to make each LHC
beam. The magnetic ramp is started once all the bunches are in place, where the energy of the
beams is increased from 450GeV to 7TeV.
Beam Parameter Value
Proton Energy at Injection 450GeV
Proton Energy at Collision 7TeV
Protons per Bunch 1.15× 1011
Number of Bunches in LHC 2808
Protons in LHC 3.23× 1014
Number of Bunches in SPS Extraction 216 or 288
Protons in SPS Extraction 2.48× 1013 or 3.31× 1013
Number of Bunches in PS Extraction 72
Protons in PS Extraction 8.27× 1012
Table 2.1: Beam Parameters of the LHC [42]
2.1. LHC STORED ENERGY AND ASSOCIATED RISK 19
Beam impact into the material of the accelerator produces a cascade of particles due to nuclear
and electromagnetic interactions, the energy deposition into the material is calculated using
simulation software such as FLUKA, combining this with temperature calculations determines
quench and damage levels, Table 2.2 shows the quench and damage limits for fast losses at both
injection and collision energies.
Consequences Causes (approximate values)Proton Losses Fraction of Beam Percentage of Beam
Quench at 450GeV 2− 3× 109 7.7× 10−6 0.0008%
Damage at 450GeV 1− 2× 1012 4.6× 10−3 0.5%
Quench at 7TeV 1− 2× 106 4.6× 10−9 0.0000005%
Damage at 7TeV 1− 2× 1010 4.6× 10−5 0.005%
Table 2.2: Quench and Damage Levels for the LHC Machine [43]
This table represents the fundamental challenge of the LHC.
2.1.3 Beam Damage Tests and Examples
Experiments have been carried out to judge the accuracy of the beam damage simulations. In 2004
a dedicated experiment was carried out where various intensities of protons were extracted from
the SPS at 450GeV, aimed at a fixed target consisting of several metal plates arranged into layers.
The observed plate destruction and depth was correctly predicted by simulations within an error of
30% [44].
Figure 2.3: Layered Metal Plates Figure 2.4: Damaged Plate
To demonstrate that beam losses and equipment damage are a real threat to the LHC, consider
some examples of beam related damage within the High Energy Physics (HEP) community:
In October 2004 a failure in the SPS ex-
traction system led to a vacuum chamber
being destroyed and the machine being off
line for several days [45].
Figure 2.5: Destroyed SPS Vacuum Chamber
20 CHAPTER 2. MACHINE PROTECTION SYSTEMS
HERA collimators were progressively de-
stroyed by fast beam losses in 2003, which
led to a major overhaul of its protection
system [46].
Figure 2.6: 5mm Groove in HERA Collimator
The Tevatron has failed in numerous ways,
in December 2003 a Roman Pot moved into
the beam, causing a quench and seriously
damaging collimators [47].
Figure 2.7: Damage to a Tevatron Collimator
Any of these failures would prove very costly for the LHC. A failure of the LHC Beam Dump,
where it would be impossible to remove the beam, would be one of the worst possible scenarios,
yet this has already happened at Tevatron [47]. This thesis concerns the beam related machine
protection, which covers more than just the LHC. Figure 2.1 on page 17 shows that even a single
batch of beam being accelerated in the SPS has a similar energy to the whole beam stored in other
accelerators. This means that the beam related machine protection is vital from the SPS
onwards.
Figure 2.8: Accelerator Structures with Beam Based Protection in the CERN Complex
2.2 Protecting the High Energy Accelerators
The LHC Machine Protection System is composed of numerous sub-systems, the protection system
has evolved in the years since it was initially proposed [48] [49] [50]. Figure 2.9 on the next page
compares the current architecture with that of 2000.
2.2. PROTECTING THE HIGH ENERGY ACCELERATORS 21
Figure 2.9: Evolution of the LHC Machine Protection System 2000-2006
The specification which was originally proposed described a simple, modular protection system,
with concise and uncomplicated functions to be carried out by a series of smaller dedicated
systems. The powering and beam protection were separated, leading to the powering interlock and
Beam Interlock System architectures. Function and safety of both were decided at the very
beginning of the project, forming a solid basis for the whole Machine Protection System [51] [52]
[48]. In April 2005 the LHC Machine Protection System was peer reviewed, it was shown to be
sound, representing a reasonable extension of existing systems [53].
The LHC, with its strenuous safety requirements, is the baseline for the machine protection, as a
system that can safely protect LHC can be readily applied to the rest of the complex. The key
beam related protection systems are briefly outlined in the following sections.
LHC Beam Dumping Systems (LBDS)
One of the most critical sub-systems of the LHC Machine Protection System is the LHC Beam
Dumping System (LBDS), it is the only element of the machine that is specifically designed to
withstand the impact of a full LHC beam without damage. The beam dumping system receives
Beam Permit signals from the Beam Interlock System which control the triggering of a beam
abort. A 3µs gap is left in the circulating LHC beam, this is referred to as the abort gap, once the
beam abort is triggered the beam dumping system waits for this abort gap to pass in front of the
extraction kicker magnets in Insertion Region 6 (IR6), then it triggers, spraying the beam into a
purpose built graphite target which absorbs the beam energy without damage.
The dumping system also accepts two further input signals which do not pass through the Beam
Interlock System. The first is a connection to the access system, which will cause a beam abort
and inhibit when personnel are inside potentially dangerous parts of the accelerator complex. The
second is from a dedicated Beam Loss Monitor (BLM), which will independently trigger the beam
dumping system if excessive beam losses are observed around the beam dump region.
22 CHAPTER 2. MACHINE PROTECTION SYSTEMS
Beam Interlock Systems (BIS)
The Beam Interlock System is the backbone of the beam related protection. A Beam Interlock
System takes inputs from User Systems distributed around the machine being protected and
inhibits beam operation if a User System indicates that there is a problem, or that it is not ready
for beam operation. In the LHC the Beam Interlock System links around 180 User Systems
distributed around the circumference of the machine to the beam dump located in Insertion
Region 6, a list of LHC User System connections to the Beam Interlock System can be found in
Appendix C.
The critical function of the Beam Interlock System is to collect User Permit signals, generating
Beam Permit signals. Two interlock systems are used in the LHC, one per beam being protected.
User Systems can either interlock each LHC beam individually via a beam-1 or a beam-2
connection, or they can interlock the two beams simultaneously via a both-beam connection. This
basic ‘AND’ gate structure is the core of the Beam Interlock System, only permitting beam
operation when all User Systems give permission.
Figure 2.10: Simplified Architecture of the Beam Interlock System
During commissioning and at low intensity the stored energy of the beam can be below damage
thresholds. When this is the case a signal is received by the Beam Interlock System which allows
certain less critical User Systems to be ignored (MASKING).
Beam Loss Monitor System (BLMS)
The Beam Loss Monitor System consists of several thousand ionisation chambers located
along-side the beam pipe in the SPS, LHC and transfer lines. When particles escape from the
accelerator they are detected by these chambers and if the number of lost particles is above
predefined threshold then a beam abort is requested. Larger losses can be tolerated at lower
energy, thus the threshold is a function of the actual beam energy. This means that the Beam Loss
Monitor System that is distributed throughout all of the high energy accelerators at CERN,
requires a dependable source of beam energy information.
Safe Machine Parameters (SMP)
The Safe Machine Parameters (SMP) System is responsible for the transmission of mission critical
information concerning the operation of the machines. Safe Machine Parameters are sent through
the CERN General Machine Timing (GMT) exploiting the available bandwidth to make safe and
reliable communications.
This system is responsible for the transmission of several values for the operation of the
machine.
1. Safe Beam Flag (SBF) - This flag is set to TRUE when the stored beam energy is below
damage limits. This is used by the Beam Interlock System to control the masking of inputs.
2.2. PROTECTING THE HIGH ENERGY ACCELERATORS 23
2. Beam Energy - This is a value representing the beam energy, in the LHC this ranges from
450GeV to 7TeV. This is used mainly by the Beam Loss Monitor System to set the
thresholds for beam loss tolerance.
3. Beam Intensity - This is a value representing the number of protons currently in the
machine.
4. Beam Presence - This flag is set when the number of protons in the machine represents the
presence of a beam..
5. Machine Mode - This is a value which describes the current operational mode of the
machine, this is used by several systems for correct operation.
Beam Absorbers and Collimators
Beam absorbers and collimators are used throughout the LHC and the transfer lines, these are
large carbon or metal jaws which can be positioned very close to the beam orbit, scraping off any
particles that have excessively large amplitudes.
Beam absorbers and collimators are critical for the protection against so-called ‘ultra-fast’ losses
that can occur during beam injection or extraction. As an example, in the case of a mis-firing
injection kicker magnet the beam would be deflected into such an absorber.
Normal and Superconducting Magnet Powering Interlocks
The LHC has more than 10000 normal and superconducting magnets, powered from 1712 power
converters.
The normal magnets are interlocked by a system (WIC) based on temperature sensors which
detect high temperatures and interlock before the magnets overheat. The interlock system
provides a signal for switching off the power converters when a failure is detected and provides a
signal to request a beam dump via the Beam Interlock System [54]. [55]. There are seven interlock
controllers for normal conducting magnets installed in the LHC. The SPS and Transfer Lines are
also equipped with similar controllers for the protection of their normal conducting magnets.
The superconducting magnets are protected by two systems, the Quench Protection System and
the Powering Interlock System. In the case of a quench the Quench Protection System triggers the
controlled discharge of the magnet energy and requests that the appropriate power supply be
switched off by the Powering Interlock System. The Powering Interlock System provides a permit
signal to the magnet powering circuits when several conditions are fulfilled: magnet temperatures
are within tolerances, Uninterruptible Power Supplies (UPS) are working correctly, etc. Each of
the 36 LHC powering sub-sectors has a Powering Interlock Controller.
The Beam Interlock System receives User Permit signals from these interlock controllers, only
allowing beam operation if the relevant magnets are powered, at the moment of a magnet failure
the Beam Interlock System requests a beam dump before the decaying magnetic field can
adversely affect the beam orbit.
Both interlock systems are implemented in Programmable Logic Controllers (PLCs), giving a
response time in the order of a millisecond from fault to power down request. For some critical
superconducting magnets a Complex Programmable Logic Device (CPLD) has been added in
parallel to the PLC, providing redundancy and reducing the beam abort response time by an order
of magnitude to around one hundred microseconds. The use of PLCs for this type of protection
has been commonplace for sometime, for example SLAC implemented a PLC interlock system for
superconducting magnets in 1989 and the SPS had a PLC based magnet interlock system installed
in 1998 [56] [57].
Fast Magnet Current-Change Monitors (FMCM)
Several normal conducting magnets have a large effect on beam trajectory and in certain cases the
operation of the powering protection systems is not fast enough to detect a fault and initiate a
beam abort. Some errors, such as an incorrect magnet current, will not trigger a beam abort
24 CHAPTER 2. MACHINE PROTECTION SYSTEMS
through the powering interlocks at all. These cases are protected against by the application of Fast
Magnet Current-Change Monitors (FMCMs) which supervise the operation of these critical
magnets. A changing magnet current implies a changing magnet field, meaning that it is unsafe to
allow beam to pass through the area. The Fast Magnet Current-Change Monitors can be
configured to suit their application, either in the LHC or transfer lines from SPS to LHC.
2.3 Failure Scenarios
The design of the Machine Protection System described in the preceding pages has been based on
extensive research that has revealed the key failure modes of the machine. Failure modes are
classified by beam loss time constants. The failures that lead to the loss of beam in the shortest
time are the most critical. The fastest of these failures relies on passive protection through
collimation, the others must be caught by the Machine Protection System [58].
1. Ultra-Fast Losses could occur during a beam injection or extraction process. In these cases
the beam is completely lost within 100µs. A typical cause would be a badly set magnet
current, resulting in the mis-steering of a beam. Correct settings and passive protection
through collimators and beam absorbers protects against these types of failure.
2. Fast/Very Fast Losses are failures that drive the beam unstable within around ten turns
of the machine. A typical cause could be a magnet quench. One of the worst case failures is
a fault in the D1 separation magnet which is installed at two points in the LHC, in this case
the beam becomes unstable within several turns. Beam Loss Monitors are designed to react
to fast and very fast losses, giving sufficient time to abort the beam before the accelerator is
damaged.
3. Slow Losses take many turns of the machine to develop, having beam loss timescales of at
many milliseconds. Many elements of the Machine Protection System protect against these
failures.
The response times of the MPS sub-systems are shown in Table 2.3 on the facing page, Figure 2.11
shows a graphical representation of these figures, organised by response time.
Figure 2.11: Response Times of Elements of the Machine Protection System
.
Only low intensity beam operation is foreseen during the first months of machine operation, this
allows for a progressive installation of the less critical elements of the beam related Machine
Protection System following the start of LHC operation.


































































































































































































































































































































































































































































































































































































































































































































26 CHAPTER 2. MACHINE PROTECTION SYSTEMS
2.4 Dependability
The LHC is the first accelerator to have a protection system with a dependability specification, in
practice the only accelerator related systems that must legally be analysed for dependability are
those that involve personnel protection, but as the euro-value of accelerators and experiments
grows, the loss of all or part of a machine could mean that the construction of a new particle
accelerator of similar scale would be questionable. Dependable interlock systems have to be
employed ensuring that the machine is fully protected from itself [59] [60].
Dependability is the term used to describe many aspects of safety engineering, the most commonly
known terms which it encompasses are:
• Safety - linked to the consequences of system failure.
• Reliability - The continuity of system operation.
• Maintainability - The ability of a system to be modified and repaired.
• Availability - The readiness of a system for operation.
• Mean Time Between Failures (MTBF) or Failures in Time (FIT) - A measure of the
statistically predicted time between failures.
• Failure Modes - The way in which a system fails.
The specification of the LHC Machine Protection System gives the dependability requirement in
the form of a Safety Integrity Level (SIL). Four possible levels exist, from 1 to 4. SIL 4 is the most
strenuous. These are defined by the IEC-61508 standard [61], which gives the following
relationship between SIL and Mean Time Between Failures:
Safety Probability of Dangerous Failure Mean Time Between Unsafe Failures
Integrity Level [per Hour] [Years]
4 10−9 to 10−8 ≈ 23000
3 10−8 to 10−7 ≈ 2300
2 10−7 to 10−6 ≈ 230
1 10−6 to 10−5 ≈ 23
Table 2.4: Probabilities for Unsafe Failure Rates [62]
The SIL chosen for a specific system is determined from two properties of the unprotected
system:
1. The expected frequency of failures
2. The consequences of these failures
Although the IEC 61508 bases the choice on events leading to the possible loss of human life, the
consequences of failure in the case of the LHC are counted financially and in terms of efficiency.
Consequences are split into four categories: catastrophic, critical, marginal and negligible.
• Catastrophic consequences of LHC protection system failure could be damage or
destruction of several collimators and possibly many superconducting magnets. In these
cases the cost of repair would start from many tens of millions of Swiss Francs, leading to
many months of downtime, it could be argued that if a large proportion of the machine is
damaged then the cost of rebuilding the LHC would be prohibitive. Without proper
protection it’s considered a catastrophic failure would feasibly occur in the twenty-year
lifetime of the LHC, this is based on experience from other accelerators such as SPS [45],
HERA [46] and Tevatron [47] that have all had failures that would probably be catastrophic
if scaled up to the LHC [63].
• Critical consequences of failure could be the destruction of one or more LHC
superconducting dipole magnets, costing several million Swiss Francs and leaving the
machine inoperable for several weeks. It’s considered that a critical failure would occur at
least once per year without the LHC protection system [64].
2.4. DEPENDABILITY 27
• Marginal consequences are events such as destruction of collimator jaws. Several hundred
thousand Swiss Francs would need to be invested to replace the jaw, with a downtime of
around two weeks [65].
• Other failures with less impact are considered negligible these do not necessarily result in
costly damage to equipment but almost certainly result in reduced efficiency through loss of
beam physics.
The expected frequency of these four categories of failures is used to derive the SIL requirement of
the Machine Protection System. The look up table in IEC-61508 is shown in Table 2.5.
Frequency per year ConsequenceCatastrophic Critical Marginal Negligible
Frequent 1 SIL4 SIL3 SIL3 SIL2
Probable 0.1 SIL3 SIL3 SIL3 SIL2
Occasional 0.01 SIL3 SIL3 SIL2 SIL1
Remote 0.001 SIL3 SIL2 SIL2 SIL1
Improbable 0.0001 SIL3 SIL2 SIL1 SIL1
Not Credible 0.00001 SIL2 SIL1 SIL1 SIL1
cost [Millions of CHF] >50 1-50 0.1-1 0-0.1
downtime [days] >180 20-180 3-20 0-3
Table 2.5: SIL Requirements after Risk Classification[66] [67]
The determining factor in the safety specification is the prevention of catastrophic failure, leading
to SIL 3 for the dependability specification, highlighted in blue in Table 2.5. This was chosen as a
realistically attainable safety making the chances of unsafe failure As Low As Reasonably Possible
(ALARP), with development costs and time in proportion to the whole machine.
A single 10 hour operation of the LHC is referred to as a mission, some 400 missions per year are
expected, a SIL 3 Machine Protection System has less than a 1% chance of failure in the 8000
missions that are expected in the 20 year lifetime of the LHC.
2.4.1 Realising the Safety Specification
Realising the SIL 3 requirements of the LHC Machine Protection System could be interpreted to
mean that every sub-system of the LHC Machine Protection System would need to be much safer
than SIL 3 to result in a combined safety that meets the specification. In fact this is not true, as
Figure 2.11 on page 24 shows that in almost every case there is a combination of sub-systems that
will detect a fault, and only one of these needs to react to the fault and trigger a beam
abort.
The fundamental principle of the beam related protection is that every failure of the machine leads
to beam losses, either directly or indirectly. A minimalistic approach considers that fast beam
losses will be detected by the Beam Loss Monitors with slower losses also being detected by the
Quench Protection System which will trigger a beam abort via the Powering Interlock Controllers.
This beam abort request must be correctly actioned by the Beam Interlock System and the LHC
Beam Dumping System in order for the Machine Protection System to have correctly functioned
[68].
Figure 2.12 on the next page shows the critical transmission paths from failure to beam abort, it is
this section of the machine protection system that must be SIL 3. The Access System and
dedicated Beam Loss Monitor that are connected directly to the Beam Dumping System do not
form part of the calculations for the safety of the Machine Protection System.
28 CHAPTER 2. MACHINE PROTECTION SYSTEMS
Figure 2.12: Cross Redundancy Following a Failure, adapted from [68]
2.4.2 Beam Interlock System Dependability Requirements
One of the key aspects of a safety control-system is determinism, whereby a system will react in a
predictable way to a given situation. This simple statement rules out a lot of design ideas, such as
Fuzzy Logic or any kind of Neural or Learning Machine, that could otherwise be feasibly
implemented for control purposes. Safety design starts at the lowest level of the system and a basic
choice must be made concerning a trade off between choice of technology, operating speed and
inherent safety.
Technology Reaction Time Inherent Safety
Microprocessor (µP) ≈ ns Faster Low Worse
Programmable Logic Device (PLD) ≈ µs ↑ High ↓
Programmable Logic Controller (PLC) ≈ ms Slower Highest Better
Table 2.6: Hardware Implementation versus Speed of Response versus Inherent Safety
There are three different technologies that are widely used for safety-critical control systems, each
has a different fundamental operating speed and inherent safety, these are compared in
Table 2.6.
Microprocessor systems are inherently fast, with typical processing times in the order of a few
nanoseconds, however, the inherent use of software to control the process leads to unsafety.
Accelerators for hadron therapy are a good example of microprocessors in use, to achieve safety,
operators are given a clear graphical interface usually running on a computer platform while a
PLC runs in parallel, interlocking the machine if a dangerous situations arises [69].
So why is software so bad for safety? Well, since software is pure design there is no need to worry
about the random wearout failures found in physical devices, which is a plus, but system
behaviour can be significantly affected by software design errors [70]. Software can never be
perfect, even specialised software only claims to reduce errors to one in every 10000 lines [71], a
study by the British Royal Signals and Radar Establishment used commercial tools to determine
the number of errors in software written for some highly safety-critical systems [72]. Up to 10% of
the program modules or individual functions were shown to deviate from specification in one or
more modes of operation.
A Programmable Logic Device, such as a CPLD or Field Programmable Gate Array (FPGA)
is a small integrated circuit that can be programmed to perform desired electronic functions. This
‘programming’ physically creates a circuit inside the device which can represent anything from a
microprocessor to simple discrete logic. The final implementation can be almost completely
verified by exploiting JTAG and for simpler circuits end-to-end functional testing is possible [73]
[74]. More complicated circuits, such as microprocessors, exhibit all the problems associated with
software, but PLDs programmed with simple functions have a high inherent safety. PLDs are
widely used in other HEP Interlock Systems, such as the BESSY and LNLS personnel interlocks
and the RF station interlock of the European X-Ray Laser [75] [76] [77].
Programmable Logic Controllers are the safest of all implementations shown here if specific
safety related devices are used. These have redundant architectures and reduced instruction sets
and are purpose built for use in safety critical situations. PLCs in general are used in slow control
systems, having a simple function carried out by a robust and deterministic controller, leading to a
very safe yet somewhat slow control system.
Combining all these discussions as well as the specification of the Beam Interlock System [78] leads
to the following criteria for the realisation of the Beam Interlock System.
2.4. DEPENDABILITY 29
1. Low-level hardware design, Programmable Logic Device (PLD) basis.
2. Reaction time in LHC < 100µs.
3. Meeting at least Safety Integrity Level 3.
4. Less than 1% all missions should be prematurely aborted due to failure of the system.
A simple diagram with probability of failure during a single 10 hour mission is shown in
Figure 2.13, it assumes that only one failure can occur at a time.
Figure 2.13: Specified Probability of Beam Interlock System Failure Modes
Realising these key points is the fundamental challenge of the design of the Beam Interlock
System, the specification of SIL 3 is particularly challenging to meet. The following chapter
introduces the Beam Interlock System in more detail, describing its design and conception as a
dependable communications system for the beam related Machine Protection Systems of the
CERN high energy accelerators.




The Beam Interlock System forms the backbone of the Machine Protection Systems installed in
the CERN accelerator complex. Each system takes USER PERMIT signals given by various User
Systems and converts them into BEAM PERMIT signals used by the injection, extraction and
beam dumping systems to permit or inhibit beam operation. In the circular accelerators a
transition from beam permit to beam inhibit causes the circulating beam to be extracted from the
machine and dumped in a purpose built dissipation block.
Altogether there are seven applications in the CERN accelerator complex, all of which must be
installed and commissioned before the LHC can start high intensity beam operation. The system
is a generic solution to the interlocking requirements existing throughout CERN high energy
accelerators. Two different architectures can be used to meet the requirements of different areas of
the complex.
1. Ring - protecting the circular SPS and LHC machines.
2. Tree - protecting the extraction and injection systems.
Beam Interlock System System Using BEAM PERMIT Architecture
LHC beam-1 LHC Beam-1 Dumping System Ring
LHC beam-2 LHC Beam-2 Dumping System Ring
SPS SPS Beam Dumping System Ring
LHC beam-1 injection LHC beam-1 injection kicker Tree
LHC beam-2 injection LHC beam-2 injection kicker Tree
SPS BA4 extraction SPS BA4 extraction kicker Tree
SPS BA6 extraction SPS BA6 extraction kicker Tree
Table 3.1: Beam Interlock Systems in the CERN Accelerator Complex
Throughout the development of the Beam Interlock System the SPS has been used to test
prototype and preseries ring architectures, with SPS BA4 extraction being used to test the tree
architectures. In both cases the same basic Beam Interlock System is used, the tree system is
formed by being connecting the components of the system together in a slightly different
way.
It’s important to understand that with the advent of each new accelerator, protection and control
systems are enhanced and upgraded from existing designs, only in very rare cases is it necessary to
introduce a completely new concept. ‘Design evolution, not revolution’ is a good way to describe
the development of the LHC Machine Protection System. The Beam Interlock System is no
exception to this rule, research and development was started in around 2002 with the initial
concept based on systems in operation in other CERN accelerators and other High-Energy Physics
laboratories [48].
This thesis is centred on the work carried out between early 2004 and late 2006, taking the
prototype systems first created as a basis, enhancing and expanding them to meet the full Beam
31
32 CHAPTER 3. BEAM INTERLOCK SYSTEM INTRODUCTION
Interlock System specification. The final installation date of the interlock systems is Autumn 2007,
to be commissioned in time for the first injections of beam into the LHC scheduled later that
year.
Figure 3.1: Research, Development, Prototyping and Installation Schedule of the BIS
The various components of the Beam Interlock System are referred to by pseudonym, this starts
with CIB meaning Controls-Interlocks-Beam, up to two letters are appended to distinguish the
various subsystems. The key subsystems are described in this chapter, their definitions can also be
found in the glossary at the end of this thesis.
3.1 Reaction Time
One of the most strenuous specifications of the Beam Interlock System is the response time, the
previous chapter has already shown that the LHC stored beam energy is more than capable of
destroying the machine. A failure or bad setting can lead to the beam in the LHC becoming
dangerous after only a few turns of the machine. A single turn takes around 90µs, meaning that
fast failures must be detected and reacted to within just hundreds of microseconds. Figure 3.2
shows the reaction time of the Machine Protection System that is required in order to protect the
LHC machine from fast and very fast losses.
• t0: A fault or dangerous situation arises, that could result in damage to the machine.
• t1: A User System reacts to the fault, informing the Beam Interlock System by setting
USER PERMIT to FALSE.
• t2: The Beam Interlock System informs the beam dumping system, by setting
BEAM PERMIT to FALSE.
• t3: The Beam Abort begins, a maximum of 90µs after the change in BEAM PERMIT,
whilst the beam dumping system waits for the beam abort gap.
• t4: The Beam Abort is completed after one full turn.
Figure 3.2: A Breakdown of the MPS Reaction Time
The Machine Protection Systems require a Beam Interlock System that can transmit a Beam
Abort request to the beam dumping systems within 100µs of a failure from any point around the
machine. The Beam Interlock System is essentially a high-speed, highly dependable, distributed
communications system. In the LHC there will be less than two turns delay between
USER PERMIT becoming FALSE and the appropriate BEAM PERMIT being detected as FALSE
3.2. BEAM-1, BEAM-2 AND BOTH-BEAM INTERLOCKING IN THE LHC 33
by the relevant beam dumping system. A Beam Interlock System that meets the LHC
specification can be safely applied to any of the other implementations. In principle this means
that the LHC is used as the basis for the system realisation.
The following sections briefly review the realisation of the LHC system using a ring architecture,
Chapter 4 explains the realisation of the Beam Interlock System in detail, including the steps taken
to accommodate the tree architecture.
3.2 Beam-1, Beam-2 and Both-Beam Interlocking in the
LHC
The LHC has two counter rotating beams, beam-1 travelling clockwise, and beam-2 anti-clockwise.
This means that LHC has two beam dumping systems, and two Beam Interlock Systems, one for
each beam. If a fault occurs in a beam-1 system then strictly speaking the beam-2 dumping
system need not be activated, so the two systems operate independently. The dumping systems
are completely independent, each receiving a unique BEAM PERMIT signal. The critical function
of the Beam Interlock System is to provide the relevant beam dumping system with
BEAM PERMIT TRUE only when all relevant USER PERMIT signals are TRUE.
User Systems can either act on both LHC beams simultaneously, or each LHC beam
independently. The Beam Interlock System provides connections to accommodate different User
Systems, ensuring that the correct LHC beam or beams are interlocked, this creates a simple
architecture as shown in Figure 3.3.
Figure 3.3: Beam-1, Beam-2 and Both-Beam Interface to the Beam Interlock System
A simple colour scheme has been employed to help identify the various sub-systems. Those
relating to beam-1 are blue, having signals are appended with B1, sub-systems that relate to
beam-2 are red, signals are appended with B2, those signals relating to both-beams are purple,
being appended with B1B2. In the cases where only a single beam is present, such as the SPS,
the sub-systems are usually purple, with signals having no appendage, as no differentiation
between beams is needed.
3.3 Architecture of the LHC Beam Interlock System
The architecture of the LHC Beam Interlock System is closely tailored to the geographical layout
of the LHC Machine. The LHC Beam Dumping System is situated in Insertion Region 6 (IR6),
and the Machine Protection System is distributed around the whole circumference of the LHC, it
follows that the LHC Beam Interlock System has sixteen Beam Interlock Controllers (BICs) per
beam. Each acts as a local concentrator, the controllers are distributed around the machine, one
installed to the left and one to the right of each Insertion Region.
34 CHAPTER 3. BEAM INTERLOCK SYSTEM INTRODUCTION
Figure 3.4: LHC Layout with Permit Loops and Controllers and Dumping Systems (not to scale)
Beam permit loops link the controllers with the beam dumping system, the key points of the LHC
Beam Interlock System are shown on Figure 3.4 with respect to the machine itself, the dashed red
and blue lines in the centre represent the beam passage, with the solid red and blue lines
indicating the beam permit loops. The beam-1 and beam-2 dumping systems shown in the upper
right hand corner.
3.3.1 Beam Permit Loops
Beam permit loops start at Insertion Region 6, travelling around the machine passing through
each controller in turn. These loops are optical, minimising the propagation delay as signals can
travel at almost the speed of light. Furthermore, two loops are used for each BEAM PERMIT, one
each in a clockwise and anti-clockwise path, these are labelled A for anticlockwise, and B for
clockwise. Having two counter-rotating loops means that the BEAM PERMIT signal always takes
the shortest path back to the beam dumping system, giving the optimum response time. There are
four beam permit loops altogether, two each for beam-1 and beam-2.
The principle of the beam permit loop is very simple, a generator is implemented that transmits a
frequency which passes through each controller in turn. Each controller creates a
LOCAL BEAM PERMIT signal which evaluates to TRUE when all the connected User Systems
have USER PERMIT TRUE. LOCAL BEAM PERMIT is used to control a switch on the beam
permit loop, the switch is closed when the signal is TRUE. In this way, having a frequency at the
end of the loop means that all LOCAL BEAM PERMIT signals are TRUE and hence the relevant
BEAM PERMIT can also be considered as TRUE. A detector is embedded in the beam dumping
system which monitors the permit loop and determines the logical value of BEAM PERMIT. A
transition from TRUE to FALSE initiates a beam dump.
Figure 3.5: Generator and Detector Principle for the BEAM PERMIT signal
In the ring interlock systems the generation of frequency is conditional on the presence of
frequency at the end of the loop, this is referred to as ‘closed-loop’ operation. In this case once the
3.3. ARCHITECTURE OF THE LHC BEAM INTERLOCK SYSTEM 35
loop is broken the frequency is no longer generated. The tree interlock systems have ‘open-loop’
operation, relaxing the constraints for arming and disarming of the permit loop.
Figure 3.6 shows the implementation of a pair of beam permit loops, carrying the
BEAM PERMIT signals A and B for LHC beam-2.
Figure 3.6: Beam Permit Loops for LHC Beam-2
The permit loop is not a new idea, the principles and implementation are heavily based on systems
designed and implemented in other accelerators. A very early example of frequency being used for
a safety critical system is in the PEP personnel protection system at SLAC; in the late 70’s
‘tone-loops’ were implemented, highly synonymous to the permit loops of the LHC [79]. Similarly,
in the 80’s Ducar at Fermilab implemented a ‘permit link’ with ‘permit concentrators’ and ‘permit
generators’, the same system was adapted and carried over for the Tevatron and NuMI at Fermilab
[80]. In the 90’s Conkling at Brookhaven National Laboratory (BNL) used Ducar’s work as the
basis for their safety interlocks [81]. The initial proposals for the Beam Interlock System included
beam permit loops based on the Brookhaven design [82]. Clearly the LHC beam permit loop is an
example of system evolution rather than revolution in accelerator controls.
Generally, the use of a frequency to describe a logic level is considered to be almost entirely
fail-safe, almost every failure results in the link becoming stuck at one of the logic levels or
oscillating at a different frequency than that which represents BEAM PERMIT TRUE. It is
regarded as a sound implementation for highly critical status signals. This statement is justified by
the dependability analysis of the beam permit loops and optical components that has been carried
out, where failures of beam permit loop components have been quantified and their impact on the
system safety have been shown to be acceptable.
3.3.2 Beam Interlock Controllers (BICs)
The Beam Interlock Controllers (BICs) take USER PERMIT signals from up to fourteen User
Systems and generate a LOCAL BEAM PERMIT which is TRUE only when all the User Systems
connected to the controller can be considered as ready for beam. The sixteen distributed
controllers in the LHC can accommodate over 200 User System inputs. Not all of these channels
are used, a current list of all LHC User Systems and their connections can be found in
Appendix C.
36 CHAPTER 3. BEAM INTERLOCK SYSTEM INTRODUCTION
Figure 3.7: Simple Block Diagram of a pair of LHC Beam Interlock Controllers
The controller is embedded in a Versa Module Europa (VME) chassis, which is a CERN standard
front-end. This provides remote access via a Power PC and ethernet. A single VME chassis has
been enhanced to house a pair of controllers, one for LHC beam-1 and the other for beam-2. In
other parts of the CERN accelerator complex, where only a single beam is to be interlocked, the
VME chassis can be configured to implement two controllers operating independently. The
implementation of two controllers in a single chassis reduces the cost of the system considerably, as
each VME chassis with dual power supply costs almost 10,000 CHF [83].
The key components of a controller are two VME boards; a Manager and Test & Monitor
board.
The Manager (CIBM), performs the critical operation of ‘AND’-ing the USER PERMIT signals
to create LOCAL BEAM PERMIT it also records a history of changes in a history buffer which is
synchronised to the General Machine Timing (GMT). This logs all events to 1µs precision. The
Manager has an interface to the VME bus, and can be remotely interrogated and configured via an
ethernet link through a Power PC embedded in the VME chassis.
The Test & Monitor (CIBT), performs the non-critical operations of supervising the
distributed sections of the controller and intialising test routines, acting as a relay between the
Manager and the distributed components of the Beam Interlock System. communications takes
place over dedicated full-duplex serial links, without software and without hardware flow control.
The Test & Monitor board has no need for a VME interface or the associated software drivers and
protocols for operation.
The Manager is the only remotely accessed hardware of the controller, Figure 3.7 shows the basic
block diagram of the LHC VME chassis, including two controllers, one for beam-1 and the other
for beam-2.
3.3.3 Expanding the Manager (CIBM)
The key component of the Manager is an AND-gate used to derive LOCAL BEAM PERMIT from
the fourteen USER PERMIT signals. This AND gate analogy is slightly misleading, the function
3.4. CONNECTING TO THE USER SYSTEMS 37
is more complex, implemented within a small Complex Programmable Logic Device (CPLD)
referred to as a matrix.
The matrix has four features that extend its functionality beyond the simple AND structure:
1. A Software Interlock Input - Allowing for more complicated interlocking criteria to be
established, the SOFTWARE PERMIT can be set and reset via the ethernet connection.
2. A Safe Beam Flag - This SAFE BEAM FLAG is provided by the Safe Machine
Parameters System (SMP), it allows a certain section of the USER PERMIT signals to be
ignored (MASKED) when the SAFE BEAM FLAG is TRUE. This indicates that the energy
and intensity of the beam in the LHC machine is below damage thresholds for the LHC
components. The maskable versus un-maskable partition is permanently defined in hardware.
3. Glitch Filters - That remove any spurious changes in the USER PERMIT signal having a
duration of less than around 2µs. This increases the availability of the system by removing
transient effects that could otherwise cause false beam dumps. A record of glitches is
maintained in the Manager.
4. Latching Outputs - In the LHC version of the Manager, the LOCAL BEAM PERMIT
signal latches when it transitions TRUE to FALSE. This means that it has to be rearmed
after each activation, ensuring that the post-mortem process is carried out and that
intervention is required before the machine may begin a new mission.
It may be subject to debate whether the implementation of the matrix function in small CPLD
having a form of VHDL ‘program’ should constitute software. In fact the matrix CPLD is a small
digital circuit operating in a robust and deterministic manner, the VHDL defines the circuit
operation, essentially describing hardware. In principle, the CPLD replaces many discrete 7400
type devices that would be capable of implementing the same function.
3.4 Connecting to the User Systems
The USER PERMIT signals given to the matrix originate in User Systems distributed around the
machine. These are based on many different types of hardware platform, ranging from slow acting
PLCs with operational at 24V to faster VME type systems with only 5V operation. To
accommodate these different systems, a homogeneous User Interface (CIBU) has been designed
that uses current loops as inputs. The logic levels of these current loops are read, conditioned and
converted to differential RS485 using simple fail-safe techniques.
3.4.1 Making a Fail-Safe RS485 Link
Two types of RS485 transmission are implemented in the Beam Interlock System. Flags, which are
sent as DC signals and data, sent as Manchester encoded frames. The transceiver chosen for the
implementation of these links is the MAX3440E from Maxim, this is slew-rate limited, with ‘true
fail-safe’, so when a fault condition arises it behaves in a deterministic way, with a guaranteed
output level. Shielded twisted pair cable, coupled with slew-rate-limited transmissions and
bi-directional termination is used to maintain signal integrity. Links passing outside of the closed
space of the controller are completely protected with Transient Voltage Suppressor diodes (TVS).
Chapter 4 details the Electro-Magnetic Compatibility (EMC) and signal integrity analysis that has
been carried out on the differential links. The circuit used is shown in Figure 3.8 on the next page,
RT being approximately equal to the ZO of the interconnection.
38 CHAPTER 3. BEAM INTERLOCK SYSTEM INTRODUCTION
Figure 3.8: Fail Safe RS485 Link Implementation
To implement the link in a safe manner RX and RX FAULT both have to be considered. A typical
example for the transmission of USER PERMIT is shown in Table 3.2, note that the critical
signals are programmed active low as failures lead to a logic ‘1’ output. TX FAULT could also be
considered for link diagnosis, but in most cases its operation is identical to RX FAULT. The
increased complication of remote read-back, resynchronisation and real-time comparison of
TX FAULT is largely unjustified.
Differential Voltage Common Mode Voltage RX RX FAULT USER PERMIT
[Volts] [Volts] [Logic Level] [Logic Level] [Boolean]
x > 12 1 1 FALSE
≥ 0.45
< −7 and > 12
1 0 FALSE
0.27 to 0.45 1 ? FALSE
−0.05 to 0.27 1 1 FALSE
−0.20 to −0.05 ? 1 FALSE
−0.27 to −0.20 0 1 FALSE
−0.45 to −0.27 0 ? ?
≤ −0.45 0 0 TRUE
x < −7 1 1 FALSE
Table 3.2: RX FAULT and RX of the MAX3440E Transceiver [84]
A ‘?’ in the table represents a condition that could lead to an output oscillating, an ‘x’ is a don’t
care state. There are also several further comparisons built into the MAX3440E transceiver which
lead to RX FAULT and RX failing-safe to logic ‘1’:
• Either A or B (or both A and B) shorted to a Voltage between 7 and 12 Volts
• Either A or B (or both A and B) open circuit
• Either A or B (or both A and B) less than 7 or greater than 12 Volts
• A shorted to B
Combining these characteristics, and correctly selecting the transmission polarity of a signal means
that the RS485 links can be guaranteed to fail safe. The Beam Interlock System is not the first
project to use RS485 communications, it’s extensively used at CERN in the machine timing and
field busses exploited by PLC systems [85]. Other Machine Protection Systems, such as those
found at BSRF and TRISTAN are heavily based on the use of RS485 differential signalling [86]
[87]. It has to be noted that Electro-Magnetic Compatibility has been addressed at a fundamental
level as RS485 is highly immune to external effects, using slew-rate limited transmitters and
effective cable shielding has ensured that the Beam Interlock System is not a source of perturbation
for neighbouring systems. Appendix A describes the results of comparisons of RS485 to other
transmission techniques that were considered during the initial stages of the system design.
3.4.2 BEAM PERMIT INFO
In addition to giving a USER PERMIT signal, the User Systems are supplied with a
BEAM PERMIT INFO signal from the Beam Interlock Controller. This signal evaluates to TRUE
when the BEAM PERMIT signals A and B are both TRUE for the relevant beam.
BEAM PERMIT INFO is derived by carrying out a local detection of the beam permit loop
3.4. CONNECTING TO THE USER SYSTEMS 39
frequencies in each controller. The BEAM PERMIT signal is a logical ‘OR’ of the
BEAM PERMIT signals for beam-1 and beam-2 in the case of the both-beam systems.
Beam-1 Beam-2 Beam-1 Beam-2 Both-Beam
PERMIT A ‘AND’ B PERMIT A ‘AND’ B INFO INFO INFO
FALSE FALSE FALSE FALSE FALSE
FALSE TRUE FALSE TRUE TRUE
TRUE FALSE TRUE FALSE TRUE
TRUE TRUE TRUE TRUE TRUE
Table 3.3: Truth Table for the BEAM PERMIT INFO signals
The frequency detection used to create the BEAM PERMIT INFO does not need to be fast, or
excessively accurate. Detecting the loop frequency ±10% with a response time of some 100’s of µs
is more than acceptable. As its name suggests BEAM PERMIT INFO is NOT a safety critical
signal. The main purpose it serves is for information only. For example, some User Systems check
to ensure that the BEAM PERMIT INFO is FALSE before running self test programs. Above all,
it is not used to drive a control process directly related to the safe operation of the machine.
3.4.3 Redundant USER PERMITs
Studies presented in Section 4.8 show that a simple system does not meet the safety requirements
specified for the Beam Interlock System. Continuing the redundancy that is already present in the
beam permit loops throughout the system to the USER PERMIT signals improves the safety of
the system to reach the specified Safety Integrity Level. Expanding Figure 3.3 on page 33 to show
these signals leads to Figure 3.9.
Figure 3.9: Redundant Critical Paths and Non-Critical BEAM PERMIT INFO
The USER PERMIT, LOCAL BEAM PERMIT and BEAM PERMIT signals are the only signals
that are safety-critical during the operation of the machine as failures in other signals cannot lead
to a dangerous state of operation.
3.4.4 The User Interface (CIBU)
The User Interface is a discrete hardware unit, translating the USER PERMIT current loops
driven by User Systems into RS485 signals. BEAM PERMIT INFO is returned to the User
System through a transistor which allows a simple current or logic interface to be realised in the
User System. The User Interface is relatively simple, an expanded block diagram is shown in
Figure 3.10 on the next page.
40 CHAPTER 3. BEAM INTERLOCK SYSTEM INTRODUCTION
Figure 3.10: Simple Block Diagram of the User Interface Hardware
A full duplex serial connection called TEST and MONITOR is implemented, allowing the User
Interface to be remotely monitored and tested As Good As New (AGAN) before each mission.
Also shown in the diagram is a dedicated DC supply (CIBD) which is installed in each
Interface.
3.4.5 Accommodating Simultaneous and Independent LHC User
Systems
In almost every case the User Systems interlocking the two LHC beams independently do so from
the same geographic location, and in most cases from the same electronic hardware. This has been
exploited to make the User Interface more effective with a single mechanical hardware capable of
containing two sets of the Interface electronics. The units that provide a double connection are
called CIBUD, those that provide a single are called CIBUS. In the cases where there is only a
single beam to be interlocked a Single-Interface is used, User Systems that interlock the LHC
beams independently are given a Double-Interface allowing both connections to be made through a
single hardware unit. Figure 3.11 goes some way to explaining this:
Figure 3.11: The Two Variants of the User Interface
Socket and connector coding has been used to ensure that the connections for beam-1 and beam-2
3.5. MEETING THE DEPENDABILITY REQUIREMENTS 41
cannot be reversed in the Double-Interface, Appendix E shows the variations.
3.5 Meeting the Dependability Requirements
The dual-use components, such as the SPS VME chassis and Double-Interface are very successful
in making a system more reliable, but in fact have a negligible effect on safety. To reach required
safety level studies have shown that that the system had to be doubled, with redundant paths used
for all the USER PERMIT signals.
Section 2.4.1 laid out the dependability specification of the Beam Interlock System, interpreting
the figures shown there leads to the following description.
The Beam Interlock System must react to a single change in USER PERMIT by
correctly actioning the relevant BEAM PERMIT with a safety better than or equal to
Safety Integrity Level 3. Less than 1% of missions must be aborted due to failures in
the Beam Interlock System.
Studies have shown that the system mathematically meets this specification. In meeting the safety
requirements the system becomes much more complex, and hence less reliable. Trade off in failure
modes has been made, making the system more available, the system statistically meets the
requirement of less than four false beam dumps per year.
It is important to understand why one cannot say that the system will meet the specification, this
is because of the methods used in reliability prediction. One can never be absolutely sure of a
component failure rate, or failure mode. Mathematical models and high-temperature tests are used
to form a statistical prediction concerning the operation of the system. Hence, one can only say
that mathematically, or statistically, the system should match the prescribed requirements.
The discussion relating to the system safety design and the predicted failure rates and modes is
presented in Section 4.8.
3.6 Supervision of the Beam Interlock System
The Beam Interlock System is crucial for operation, being ultimately responsible for permitting
machine operation with beam. LHC operators are expected to know the basic operation of the
Beam Interlock System, but are not expected to understand the internal workings, whereas
machine interlock experts need to be able to also visualise the low-level internal operation of the
system. The critical functions of the Beam Interlock System are implemented in pure hardware,
completely free of software. However, software is needed for the supervision of the systems. The
supervision is split into two sections following the requirements of the operations team and
interlock experts.
1. Operator Screens - showing the basic function of the Beam Interlock Systems from a
purely operational point of view.
2. Specialist Screens - showing all the details of the system operation, from the user to
system levels.
There are three key aspects to the supervision, related to the operational timescale:
1. Before Operation - before the machines are to be operated with beam it must be possible
to test, commission and verify the complete operation of the systems. Detailed hardware
processes have been implemented to provide complete testing. These processes need to be
triggered by user-friendly software that allows quick and concise testing, with rapid diagnosis
of any problems that may exist.
2. During Operation - when the machines are being operated it must be possible to verify
that the critical paths of the Beam Interlock System are operating correctly. This includes
the extraction zones that require detailed views of processes that last just some milliseconds.
It must also be possible to rapidly observe and diagnose any sections that may be
experiencing problems, such redundant power supply statuses or errors in serialised
communications channels.
42 CHAPTER 3. BEAM INTERLOCK SYSTEM INTRODUCTION
3. After Operation - once a failure has been observed and the beam has been dumped or a
beam transfer has been inhibited it must be possible to interrogate the Beam Interlock
System to determine the reason for the missing kick or beam dump. The Beam Interlock
System acts as the first point of call concerning this so-called Post Mortem of the machines.
This is especially important in the LHC, where each and every beam abort must be fully
analysed to ensure that the safety of the machine has not been compromised.
All of these functions are undertaken by a dedicated software, the CERN Neutrinos to Gran Sasso
project has allowed prototype supervision screens to be developed, showing an overview of the
global SPS machine operation, and the function of each Beam Interlock Controller installed in the




This chapter describes the design and realisation of the Beam Interlock System. A generic system
has been designed, capable of meeting the requirements of all four parts of the CERN accelerator
complex that require a Beam Interlock System.
1. The LHC ring
2. The SPS ring
3. LHC injection
4. SPS extraction
The LHC has two counter-rotating beams, it can be considered that these are protected by
individual interlock systems. Equally the two SPS extraction zones and two LHC injection zones
each have Beam Interlock Systems. In total the CERN accelerator complex can be considered to
have seven systems, as shown in Figure 4.1 on the next page, the direction of beam travel is
marked by the arrows on this figure. The LHC shown in green has two interlock systems, one for
beam-1, the other for beam-2. A generic Beam Interlock System refers to these systems that are
protecting the LHC, which are used as the specification of the Beam Interlock System as they have
the safety and time constraints that are the hardest to meet. Any system that satisfies the
requirements of the LHC Machine Protection System can be applied to any part of the CERN
accelerator complex.
The LHC beam is accelerated in first the PS then the SPS accelerators before finally being
transferred to the LHC. Beam energy and intensity reaches damage thresholds in the SPS
accelerator, from this moment a Beam Interlock System is required to protect the machines. In
principle the seven Beam Interlock Systems are discrete, each having their own inputs and
outputs. Part of the fundamental requirement of the Machine Protection System is that a beam
transfer process is interlocked against transferring a beam into part of the complex that is not
ready. To meet this requirement the BEAM PERMIT of the destination machine can used as an
input to the source machine’s interlock system, chaining together the interlock systems at a
hardware level for protection during beam transfers.
Figure 4.2 on the following page shows a typical feedback where LHC BEAM PERMIT is used as
an input to the injection interlock systems. Injection permit is also an input to the extraction
interlock. The extraction system will not give an extraction enable window if the LHC is not ready
for beam, ensuring that beam transfer is made in a safe, reliable and deterministic way.
43
44 CHAPTER 4. BEAM INTERLOCK SYSTEM REALISATION
Figure 4.1: Part of the CERN Accelerator Complex and Associated Beam Interlock Systems
Figure 4.2: Feedback of Beam Permit from Destination to Source Equipment
Ring and Tree Structures
To serve all the requirements, there are two different hierarchies that can be implemented for the
Beam Interlock System. A ring architecture is used in the LHC and SPS rings, whereas a tree
architecture is used in the extraction and injection zones. Fundamentally the sub-components of
the Beam Interlock System have been designed to accommodate these without modification, simply
connecting the system components together differently creates the different architectures.
45
Figure 4.3: Ring Versus Tree Architectures of the Beam Interlock System
The Beam Interlock System indicates to User Systems whether BEAM PERMIT is TRUE or
FALSE with the signal BEAM PERMIT INFO. This is generally used to inhibit test modes and to
ensure that User Systems are in the correct operational mode, this is not a critical safety function
of the Beam Interlock System. In the tree structures the extraction and injection windows
BEAM PERMIT is TRUE for only some milliseconds, in these cases BEAM PERMIT INFO has
little real value, and is not required for the operation of the User Systems. Table 4.1 shows the
architectures of the different interlock systems, with the length of time that BEAM PERMIT will
be asserted and whether BEAM PERMIT INFO is needed in each implementation of the Beam
Interlock System.
Beam Interlock System BEAM PERMIT BEAM PERMIT INFO ArchitectureActive Time Needed
LHC Beam-1 10 hours Yes Ring
LHC Beam-2 10 hours Yes Ring
SPS Ring < 1 minute Yes Ring
LHC Beam-1 Injection < 20 milliseconds No Tree
LHC Beam-2 Injection < 20 milliseconds No Tree
SPS BA4 Extraction < 20 milliseconds No Tree
SPS BA6 Extraction < 20 milliseconds No Tree
Table 4.1: BEAM PERMIT and BEAM PERMIT INFO in the CERN Accelerator Complex
The ring and tree architectures accommodate all of the interlocking requirements. They operate in
almost the same way, however there is one subtle difference: In the ring architecture every user
must be ready before beam operation is allowed, this is not the case in the tree architecture where
a Master Beam Interlock Controller (MBIC) can be used meaning that only a sub-set of users need
to be ready for beam in order to give BEAM PERMIT. For example, the SPS point four
extraction region uses a master controller, which permits beam operation to either the LHC or the
CNGS target, not all User Systems need to give USER PERMIT for extraction to occur in this
case.
Figure 4.4: SPS BA4 Extraction to CNGS or LHC
This chapter discusses the design and realisation of Beam Interlock System that can satisfy all
46 CHAPTER 4. BEAM INTERLOCK SYSTEM REALISATION
requirements of any of these applications, generally using the LHC Beam Interlock System as a
basis.
4.1 Communications Architecture
At a basic level the Beam Interlock System is a distributed electronic communications system. The
largest distribution of the system in the CERN accelerator complex is around the circumference of
the LHC machine, here around 180 distributed User Systems must be accommodated over a
distance of 27km. Three key technologies have been used to interface the various sub-systems of
the Beam Interlock System.
1. Current Loops
2. RS485 Differential Signalling
3. Single Mode Fibre Optic Communications
These three technologies have been chosen as they are the most adapted to the different
requirements of the various parts of the system.
Figure 4.5: The Electrical Architecture of the Beam Interlock System
Current Loops from User System to User Interface
The connections of the three signals USER PERMIT A, B and BEAM PERMIT INFO from the
User System to the User Interface are made by current loops. These are highly suited to this
task, as they allow a wide range of hardware platforms to be accommodated using a single
homogeneous circuit. A fast link using current loops can be established without integrity issues
provided that the cabling is correctly implemented as shielded twisted pair, and that the link has a
short electrical length [88]. The maximum link length of the current loop is specified as around
four meters, as the User Interface electronics can be placed directly in the User System rack, this
pertains well to the use of current loops in this situation.
RS485 from User Interface to Beam Interlock Controller
The distance from User System rack to the nearest Beam Interlock Controller can be over one
kilometer, a cable has to be installed to provide this connection. This cable can pass electrically
noisy equipment and low voltage systems, so care and attention has to be paid to the effects of
Electro-Magnetic Compatibility ensuring that the integrity of the system is maintained and that
neighbouring systems cannot be perturbed. Experiments, summarised in Appendix A, show that
current loops are difficult to implement over long distances with these requirements, RS485
differential signalling was finally chosen for these links as it is well suited to transmission in
heavy industrial environments and is specified for operation with cable lengths of up to 1200m
[89]. A CERN standard 12-wire cable (NE12) has been installed between each User System and
4.1. COMMUNICATIONS ARCHITECTURE 47
the appropriate Beam Interlock Controller, having a full copper shield with six 90Ω twisted-pairs
used to transmit the information required for the system operation.
Experiments summarised in Appendix B show that RS485 can be used to make DC signal
transmission. Coupling this with the use of fail-safe slew-rate-limited transceivers leads to a noise
immune and dependable link with a deterministic response in the case of failure [84]. Equally
important is the transmission delay which is related to the cable length. Experiments, detailed in
Appendix B have shown that cable delay is about 5.4ns per meter, leading to a maximum delay of
about 6.5µs for a full 1200m link. Essentially this creates a communications system acting almost
as fast as physically possible when using copper interconnects. Boolean transmission using DC
signalling has been implemented for the three critical signals between each User Interface and
controller USER PERMIT A, B and BEAM PERMIT INFO.
Two of the remaining pairs of wires in the connection are devoted to a full-duplex serial
communication between User Interface and controller. These two channels, called TEST and
MONITOR allow for remote testing and supervision of the User Interface. The communications
use Manchester encoded data frames. These frame types are used extensively in CERN accelerator
controls, the Manchester Frame format implemented in the Beam Interlock System is heavily
based on the format used in the CERN General Machine Timing (GMT) [90].
The final pair of wires is tied to electrical ground at both ends. This helps to meet the
Electro-Magnetic Compatibility requirements. The discussion regarding EMC continues in Section
4.7 and Appendix F.
RS485 within the Beam Interlock Controller
The same RS485 techniques of flags and frames are used throughout the Beam Interlock Controller
for communications. Critical signals are sent as flags, more complex information is serialised and
transmitted using encoded frames. It has to be noted that RS485 transmission infers a maximum
signal frequency that is proportional to the distance between transmitter and receiver, for the
1200m links the fundamental frequency has been chosen as 62.5kHz, for the shorter links inside the
controller a modest 250kHz has been implemented, these slow links are more than adequate for the
amount of data that has to be transmitted through the system.
Fibre Optics from Controller to Controller
The backbones of the Beam Interlock System are the fibre optic beam permit loops. Two beam
permit loops linking neighbouring Beam Interlock Controllers are implemented in each LHC Beam
Interlock System, one clockwise and one anti-clockwise for each beam. Fibre optic interconnects
were chosen for these loops as they are required to be extremely fast and fibre with a refractive
index of around 1.5 leads to a propagation speed of almost 70% the speed of light in a vacuum.
Fibre optics are capable of transmitting information over a long distance, this accommodates the
distance from one controller to the next where the maximum distance is around 3000m. The
specification of the beam permit loops is for successful transmission over distances that are double
this, giving some margin for error and degradation over time. One other key benefit of using a
fibre interconnect is its resiliance to EMC problems. Light in fibre is resistant to peturbation from
external magnetic and electric fields, equally it cannot peturb the operation of nearby
systems.
48 CHAPTER 4. BEAM INTERLOCK SYSTEM REALISATION
4.2 Beam Permit Loops
The information transmitted over each beam permit loop consists of a single flag called
BEAM PERMIT. This indicates the readiness of the machine for beam operation. The injection,
extraction and beam dumping systems use BEAM PERMIT to control the activation of various
kicker magnets. A frequency is used to represent the Boolean state of BEAM PERMIT, if the
correct frequency is present at the end of the loop BEAM PERMIT can be considered TRUE.
There is a frequency generator (CIBG) installed at the start of each loop responsible for the
creation of the permit loop frequency, this is then propagated from controller to controller where it
is either retransmitted or interrupted by a LOCAL BEAM PERMIT signal. Observing the correct
frequency at the end of the loop indicates that each controller allowed the frequency to propagate,
thus all LOCAL BEAM PERMIT signals are TRUE meaning BEAM PERMIT is also
TRUE.
The switching of the beam permit loop signals by LOCAL BEAM PERMIT is carried out in an
electronic device, this means that the permit loop signal is converted from an optical signal to an
electrical one and vice-versa at each controller. This infers the constraint of DC operation for the
permit loop electronics as when switch is open the transmitted signal will be a DC level having
constant output power.
The time for transmission around the beam permit loops needs to be as short as possible, to
achieve this goal a pair of permit loops ‘A’ and ‘B’ are implemented in each system. When long
distances are covered by the permit loops, the frequency propagates anti-clockwise around loop ‘A’
and clockwise around loop ‘B’. This means that interruption of frequency propagates in the
shortest possible route.
No frequency regeneration occurs at any point around the permit loops. The single generator
principle increases the system safety by avoiding single failures that could force
LOCAL BEAM PERMIT to erroneously generate a frequency which would effectively mask all the
previous controllers in the loop.
Beam Transfer Systems
Injection, extraction and beam dumping systems are collectively referred to as Beam Transfer
(BT) systems, the relationship between the seven Beam Interlock Systems and the Beam Transfer
systems is shown in Table 4.2.
Beam Interlock System Beam Transfer System BEAM PERMIT interpretation
LHC beam-1 LBDS beam-1 TRUE → FALSE = beam abortinjection permit
LHC beam-2 LBDS beam-2 TRUE → FALSE = beam abortinjection permit
SPS ring SBDS TRUE → FALSE = beam abortinjection permit
LHC beam-1 injection LHC beam-1 injection kicker injection permit
LHC beam-2 injection LHC beam-2 injection kicker injection permit
SPS BA4 extraction SPS BA4 extraction kicker extraction permit
SPS BA6 extraction SPS BA6 extraction kicker extraction permit
Table 4.2: BEAM PERMIT used by Beam Transfer Systems in the CERN Accelerator Complex
Note that the LBDS and SBDS are the LHC and SPS Beam Dumping Systems respectively.
Closed Beam Permit Loops
The final BEAM PERMIT signal can be fed back into the generator to force the generation of the
BEAM PERMIT frequency to stop once BEAM PERMIT becomes FALSE. This is referred to as
‘closed-loop’ operation. Using a closed-loop has two effects:
1. When the system is disarmed there will be no BEAM PERMIT frequency present on any
part of the loop, but...
4.2. BEAM PERMIT LOOPS 49
2. Arming the beam permit loop has to take into account the final BEAM PERMIT signal (see
Section 4.2.8)
The ring interlock systems use closed-loop, Figure 4.6 shows the basic principle.
Figure 4.6: The Beam Permit Closed-Loop Principle
The LHC is the main application of the Beam Interlock System, Figure 4.7 shows the principle
layout of the LHC beam-2 permit loops. These are closed-loop, the generator is combined with a
detector at the start of the loops controlling the frequency generation. A dedicated detector
(DET) is installed in the LHC Beam Dumping System to determine the logical value of
BEAM PERMIT.
Figure 4.7: LHC Beam-2 Permit Loops
If any USER PERMIT signal connected to a controller becomes FALSE then the
LOCAL BEAM PERMIT of the controller is removed, interrupting the frequency retransmission.
This interruption will be detected by the beam dumping system, the circulating beam will be
removed from the machine as soon as possible. The same architecture is used for the LHC beam-1
interlock system meaning that the LHC has four permit loops, one clockwise and one
anti-clockwise for each beam. A typical LHC mission will last at least ten hours, during which
time BEAM PERMIT will be maintained TRUE.
The SPS Beam Interlock System is very similar to the LHC, but on a much smaller scale, the
physical length of the SPS accelerator is only around one quarter that of the LHC. The SPS has
only one beam having therefore only two beam permit loops, and a typical cycle lasts less than one
minute, during which time BEAM PERMIT is TRUE. Figure 4.8 on the next page shows the SPS
layout, with the key locations of the SPS Beam Interlock System.
50 CHAPTER 4. BEAM INTERLOCK SYSTEM REALISATION
Figure 4.8: Permit Loops of the SPS
Open Beam Permit Loops
Injection and extraction Beam Interlock Systems use permit loops with open loop configurations.
The concept of arming and disarming does not apply to the open-loop systems, as they are
configured to continually generate frequency. This avoids the problems related to enabling the
generator which would be difficult due to the alignment with the required extraction or injection
window. Open-loop also means that there will be BEAM PERMIT frequency in parts of the
system even when the loop is disarmed. Figure 4.9 shows the principle.
Figure 4.9: The Beam Permit Open-Loop Principle
Both open and closed loops have the same function and almost identical implementation, one can
assume that the safety of these tree systems, using open-loop is comparable to that of the ring
systems using closed-loop. Despite this the injection and extraction permit loops do not have the
same level of criticality as those in the LHC. A missed extraction results in only some minutes of
lost time as a new fill is prepared. A bad extraction, whilst being dangerous, does not have the
huge financial penalties and downtime associated with failure in the LHC.
Injection and extraction Beam Interlock Systems have somewhat more complex interlocking
requirements. A Master Beam Interlock Controller can be used that collects
LOCAL BEAM PERMIT signals from several controllers which are connected to User Systems.
This partitioning combined with the use of a master controller allows more complex criteria to be
established for the creation of the BEAM PERMIT signals, which enable the extraction or
injection at the relevant point.
Injection and extraction permit windows are very short, BEAM PERMIT will only be TRUE for
some tens of milliseconds at a time.
4.2. BEAM PERMIT LOOPS 51
Figure 4.10: Permit Loops of the Injection and Extraction Systems
4.2.1 Ring-Closed and Tree-Open Permit Loop Summary
All of the tree systems use the open-loop configuration, all of the ring-structures use closed-loop.
Table 4.3 summarises the differences between the ring and tree permit loops structures, taking the
worst-case values from each implementation.
Type Application
Maximum Worst Link Maximum Maximum
FormatLinks Length Repetition Active
Per Loop [km] Stages Window
Ring LHC/SPS Ring 18 6 17 ≈36000s Closed
Tree Injection/Extraction 2 2 1 ≈0.01s Open
Table 4.3: Comparison of the Ring and Tree Beam Permit Loop Architectures
Clearly this table shows that an LHC defines the design specification. SPS, injection and
extraction loops can be created by using LHC compatible hardware, easily meeting their design
requirements.
4.2.2 Beam Permit Loop Frequency
The frequency chosen to represent TRUE for the loops is 10MHz, transmitted with a 50/50 duty
cycle, this frequency was taken from the system implemented at Brookhaven National Laboratories
which uses 10MHz permit loops for the transmission of beam abort signals [81]. This frequency
and symmetry allows a response time in the order of micro-seconds to be comfortably realised as
the fundamental period is just 100ns. Simple electronic circuits can also be used for the signal
repetition as 10MHz is very easily handled by modern electronic components [91]. The observed
100ns period distribution degrades as the signal is repeatedly retransmitted by the Beam Interlock
Controllers, this degradation has been quantified and used to determine the correct parameters for
the frequency detectors used to derive BEAM PERMIT in a safe and reliable manner.
Commercial oscillators rarely have a guaranteed duty cycle of 50%, so the 10MHz is made by
clocking a 20MHz signal through a T-Type flip-flop. Each LOCAL BEAM PERMIT switch
includes an inverter, negating the signal on the loop. This corrects any differences that may arise
due the circuit reaction to postive and negative going transitions that occurs naturally in
transistor structures.
52 CHAPTER 4. BEAM INTERLOCK SYSTEM REALISATION
Figure 4.11: Creating and Maintaining the Beam Permit Loop 10MHz with 50% Duty Cycle
4.2.3 Optical Power Budget
The conversion between optical and electronic signals is carried out by a small transceiver. To
design this device an Optical Power Budget (OPB) needs to be defined. This considers the optical
power loss through the various components of the system, and from this the specification for the
receiver sensitivity can be made when the transmitter output power has been chosen [92]. The
budget is formed from connector losses, fibre losses and a safety margin.
To determine the connector losses, the number of interconnections from transmitter to receiver
must be calculated, in the LHC a fibre-optic trunk is routed the complete length of LHC passing in
a similar line to the accelerator itself. This trunk has a high bandwidth and provides the core
signal path for the permit loops. Trunk connectors are installed at the left and the right of each
Insertion Region (IR), giving access to the trunk fibres. This infers many interconnections between
controllers. The worst case is an interconnection between controllers that passes through a local
patch panel as well as the trunk, this is shown in Figure 4.12.
Figure 4.12: Worst Case Interconnections from Controller to Controller
This shows that there could be up to ten interconnections and five fibres between controllers.
Using a wavelength of 1310nm with modern installations leads to typical worst case losses of 0.5dB
per connector [93] and 0.5dB per kilometer of fibre [94]. A safety margin of 3dB has also been
established, in order to give some leeway to cover component aging.
Calculating the losses for a double worst-case link length of 6000m using Figure 4.12 leads to
Table 4.4 on the facing page. Summing the right-hand column gives a power loss of around
11.25dB. Tests using the real optical fibres have shown that the losses observed are normally
around one third of the worst case value shown here. Section 5.1 on page 130 shows typical values
measured in the SPS, concluding that this Optical Power Budget is conservative.
To convert this figure of dB loss into real requirements one can switch to an absolute value of dB,
called dBm. dBm is used extensively in optical engineering, it is defined by 0dBm being equivalent
to one milliwatt of transmitted power. For example, if each link in the beam permit loop uses a
transmitter with an output power of 0dBm (1mW) the receiver sensitivity must be at least
-11.25dBm (74µW ). These figures coupled with the DC to >10MHz frequency requirements form
the basic specification of the optical transceiver.
4.2. BEAM PERMIT LOOPS 53
Source of Loss Label on Figure 4.12 Power Change [dB]
Transmitter Connector 1 -0.5
Fibre (50m) A -0.025
Patch Connector 2 -0.5
Patch Connector 3 -0.5
Fibre (200m) B -0.1
Trunk Connector 4 -0.5
Trunk Connector 5 -0.5
Fibre (6000m) C -3.0
Trunk Connector 6 -0.5
Trunk Connector 7 -0.5
Fibre (200m) D -0.1
Patch Connector 8 -0.5
Patch Connector 9 -0.5
Fibre (50m) E -0.025
Receiver Connector 10 -0.5
Safety Margin - -3.0
Table 4.4: Tabulating the Losses for the Optical Power Budget
4.2.4 Engineering the Optical Transceiver
Each Beam Interlock Controller has a small optical transceiver (CIBO) for each beam permit loop.
The optical transceiver converts the 1310nm light into an electronic signal, the conversion is
digital, with a power transistion to light above a power threshold being interpreted as a logic ‘1’,
and logic ‘0’ below the threshold. The transceiver, gives these logic levels as TTL signals. The
basic block diagram of the transceiver is shown in Figure 4.13, Appendix O has a photograph of
the complete transceiver.
Figure 4.13: Block Diagram of the Optical Transceiver
The fundamental design of this is based on the Optical Power Budget and the frequency
specification. Amongst the most basic choices that had to be made concerning the transceiver was
the type of device used for transmission, both LED and LASER-Diode (LD) structures are used to
make discrete transmitters, and both could be used for this application.
Characteristic LED LD
Output Drive Circuit Simple Complex
Drive Current 50-100 mA Threshold 5-40mA (drive above)
Coupled Power Moderate (µW ) High (mW )
Bandwidth Moderate (≈ 100’s Mb) High (≈ 10’s Gb)
Wavelengths 660 - 1550 nm 780 - 1550 nm
Cost $5 - 300 $100 - 10000
Emission Spectrum 40 - 190nm FWHM 1 - 10nm FWHM
Safety Requirements None Return Loss & Eye Safety
Table 4.5: Comparison of LED and LASER Diode Technology [95]
54 CHAPTER 4. BEAM INTERLOCK SYSTEM REALISATION
The choice of a laser diode is unjustified for the permit loops, so an Edge Light Emitting Diode
(ELED) is used as the transmitter, with a simple P-Type - Intrinsic - N-Type (PIN) diode
receiver. The basis for the design is an application note by Avagotech (formerly Agilent) for DC to
32Mb data transmission through an optical fibre [96]. The circuitry described in this note has been
modified and adapted to be compatible with the mechanical structure and supply specification of
the Beam Interlock Controllers. A block diagram of the optical transceiver is shown in
Figure 4.14.
Figure 4.14: Detailed Block Diagram of the CIBO Optical Transceiver
The ELED is a PLD 1315M, with a specified output power between -15 and -25dBm at an nominal
wavelength of 1310nm, this ELED is driven by a simple electronic circuit, giving the following
characteristics:
Transmitter Input Voltage ELED Current ELED Output Power
[Volts] [mA] [µW ] [dBm]
>2.0 10 0.001 -65
<0.8 100 10 -20
Table 4.6: Electrical Characteristics of the ELED Based Optical Transmitter
When the input voltage is considered as TTL high, the transceiver emits no light, this is inverts
the electronic signal at each stage. The receiver is based on an HFBR 2316 single-ended receiver
with built in Trans-Impedance Amplifier (TIA); the conditioning electronics are capable of
accepting a single ended or differential signal from a compatible receiver. An analogue section
converts the low-voltage output into a TTL signal via three further electronic stages.
1. The millivolt outputs from the receiver are passed through a simple differential amplifier,
this amplifies and removes common mode offset.
2. An emitter-follower is used to buffer the output of the differential stage. This provides a
small gain, and impedance matching for the signals going into the high-speed comparator.
3. Finally the high-speed comparator evaluates the two input voltages, and generates a TTL
signal and its compliment. Schmidt trigger feedback and a weak hysteresis is used to
preventing the circuit from spurious oscillation.
The receiver sensitivity is at least -35dBm (0.3 µW) although experiments have shown that
receiver circuits may still function up to -40dBm (0.1 µW). The circuit is AC coupled, but unlike
most AC coupled fibre optic receivers, it doesn’t require a constant frequency reception to achieve
the correct biasing, it can be successfully used in a DC system provided the rising and falling edges
of the signals are sufficiently fast.
To ensure that the Optical Power Budget is met, each link used by the Beam Interlock System has
a measurement made during installation, the output power of -15 to -25dBm and receiver
threshold of -35 to -40 dBm means that optical budgets of -10 to -25 dB can be accommodated. In
the higher attenuation links the more powerful transmitters and more sensitive receivers can be
used, giving the best power margin.
4.2. BEAM PERMIT LOOPS 55
4.2.5 Transmission Characteristics
Considering the output transmission power and the input receiver threshold indicates whether the
link can operate or not, obviously if the optical power is below the receiver threshold then the
signal cannot be recovered and the link will not work. Considering this leads to questions
concerning the effects of attenuation on the transmission of a signal when the received power is
above the receiver threshold. How does attenuation affect the 10MHz signal? What will the
10MHz signal look like after seventeen retransmissions?
The effect of attenuation on the retransmission of the 10MHz signal has been carefully studied to
answer these questions. Experiments were made based on a simple transmission - attenuation -
reception loop as shown in Figure 4.15.
Figure 4.15: Testing the Effect of Attenuation on the 10MHz Waveform
The jitter of the 10MHz signal was recorded and a distribution plotted for various attenuations.
Figure 4.16 shows the typical results of an experiment. The upper trace in orange is the frequency
going into the Beam Permit Loop (Frequency IN), the lower trace in black is the observed
frequency leaving the Beam Permit Loop (Frequency OUT). The jitter measurements are also
plotted, using a logarithmic vertical axis, showing the distribution of the period. Retransmission
clearly increases the jitter of the signal on the beam permit loop.
This experiment was repeated for a range of attenuations and optical transceivers (labelled
CIBO.Pxx). The observations were then normalised to the receiver input threshold that had
previously been experimentally obtained, Figure 4.17 on the following page shows the results of
these experiments. The sigma, related to the standard deviation of the jitter, is plotted against the
power margin.
Figure 4.16: Typical Resulting Histogram for the Beam Permit Loop Period Observations
The black line on Figure 4.17 on the next page shows a pessimistic approximation to this period
56 CHAPTER 4. BEAM INTERLOCK SYSTEM REALISATION
sigma error. It’s clear that received power has a large influence on the form of the 10MHz signal.
Tabulating these results show the boundaries of acceptable operation versus unacceptable.
Power Margin Jitter Category[dB] [ns]
>12.0 ≈0.1 Excellent
5.0 - 12.0 ≤0.5 Good
2.0 - 5.0 ≤1.5 Poor
<2.0 ≥1.5 Unacceptable
Table 4.7: Interpretation of the Period Sigma Error Results
Essentially this means that although a link might be feasible due to the power budget, it is
desirable to have at least 2dB of margin between the receiver threshold, and the received optical
power, i.e. if a receiver has a threshold of -30dBm, the received power must be at least -28dBm. A
link with a margin less than 2dB will operate correctly, but the jitter of the 10MHz may not be
acceptable for the operation of the permit loop. Installations with high losses must be carefully
observed to ensure that the performance is acceptable.
Figure 4.17: Results from the Frequency Observation Experiments
Of course, one must expand these results to cover a full LHC loop of seventeen retransmissions
without regeneration, each accumulating jitter. To calculate the expected period at the end of the
loop the errors induced from each links have to be convolved together. Figure 4.18 on the facing
page shows the distributions resulting from two calculations.
1. 12.65dB power margin for each link of the beam permit loop.
2. 2.25dB power margin for each link of the beam permit loop.
Clearly the better the power margin, the better the jitter. Note that the vertical axis is now a
probability, this is indicative, as the width of the distribution is the most important.
The results shown come from modelling seventeen retransmissions each having the same received
power margin, to obtain the predicted value for a specific permit loop a recalculation is needed
that takes into account the power margin of each link.
In conclusion, the frequency representing BEAM PERMIT TRUE observed at the end of the
permit loop will be 10MHz if the signal is observed for many cycles.
4.2. BEAM PERMIT LOOPS 57
Figure 4.18: Results of Convolution of Period Errors for Seventeen Retransmissions
If the signal is observed on a period by period basis the value obtained for the frequency will vary
between the upper and lower bounds which are defined by the transmission characteristics of each
of the seventeen links that form the permit loop. This forms part of the basic definition of the
frequency detection parameters for detectors in the Beam Transfer systems and in the generator of
the closed-loop permit loops.
4.2.6 Bit Error Rate
The period distribution analysis explained in the previous section assumes that the 10MHz signal
is simply distorted by the retransmission. What happens if periods are not distorted, but are lost?
This has the potential to be a source of downtime if not carefully considered, as a single missing
period could be misinterpreted as a BEAM PERMIT transition from TRUE to FALSE. The Bit
Error Rate (BER) of the permit loop can be used in conjunction with the transmission effects
described in the previous section to derive a more intuitive model of the expected loop
behaviour.
Bit Error Rate Test (BERT) equipment has been used to determine the expected rate of
transmission errors for the permit loops. A single detected error can be readily interpreted as a
missing or extra transition observed on the 10MHz link, as shown in Figure 4.19.
Figure 4.19: Manifestations of Bit Errors
These transitions falsely increase or decrease the measured frequency of the link, and are an
unavoidable natural phenomena. Bit Error Rate Testers use Pseudo-Random Bit Sequence
(PRBS) generators that encode pseudo-random data into frames of ‘0’ and ‘1’ bits. This sequence
is transmitted through the optical link, and returned to the test equipment, which phase locks to
the data stream and compares the input and output sequences. Any errors can be recorded and
since the number of transmitted bits is known, the Bit Error Rate can be established. In these
tests the data test patterns were configured as 10MHz level-encoded frames, replicating the DC
58 CHAPTER 4. BEAM INTERLOCK SYSTEM REALISATION
nature of the optical links. The pattern was set to ‘27 - 1’ giving a repetition every 127 bits, seven
consecutive ’1’ or ’0’ bits can appear in frames produced by this pattern. The observed Bit Error
Rate was then recorded for various values of optical attenuation, Figure 4.20 shows the experiment
set-up.
Figure 4.20: Experiment Setup to Determine the Bit Error Rate
In electrical systems the error rate is linked to the system’s Signal to Noise Ratio (SNR), in
high-bandwidth systems a reduction of the signal to noise ratio allows a kind of accelerated testing
to be carried out to determine the system error rate [97]. The typical behaviour of an electrical
link and the results of the transceiver tests are plotted in Figure 4.21.
Figure 4.21: Bit Error Rate as a function of Signal to Noise Ratio
It is clear that the effect of attenuation on the optical devices does not match that of electrical
systems, the cut-off is much steeper with a little increase in received power rapidly decreasing the
Bit Error Rate. Indeed, extrapolating the results from Figure 4.21 for a link with a Signal to Noise
Ratio of four quickly predicts a error rate much less than 1× 10−16, in this case many tens of years
could pass without an error being observed.
A pessimistic approach must be used for the beam permit loop performance. If the Signal to
Noise Ratio is chosen as 1.6 Figure 4.21 suggests an error rate of 1.3× 10−10 with a 99%
confidence. This corresponds to a receiver power of only 2dB above receiver threshold, which
was shown in Table 4.7 on page 56 as the absolute lower limit for ‘poor’ but acceptable
performance for a single permit loop link.
Considering that the LHC beam permit loops have seventeen links in series, a very basic estimate
would be to multiply this error rate by seventeen, this makes the assumption that errors are
uncorrelated. In this case a rate of 2.2× 10−9 would be typical for the full beam permit loop.
Considering that the link speed is 107 bits per second gives a mean time between errors of less
than one minute.
4.2. BEAM PERMIT LOOPS 59
Care has to be taken when interpreting this number. Firstly, if taken literally, it means that a
missing or extra transition would appear every minute, but only in the case where seventeen ‘poor’
quality links were being used. It must also be made clear that the characteristics of the worst link
will be dominant, the average of the Bit Error Rates of the individual links does not represent the
performance of the system. This is another motivation to ensure that the power budget for each
link is acceptable, conforming to ‘good’ or ‘excellent’ in Table 4.7 on page 56.
4.2.7 Detection of BEAM PERMIT
The studies described in the previous two sections derive the following rules and observations for
each link of the beam permit loop.
• Each link must have a power margin of at least 2dB.
• Each link should have an error rate of better than 1.3× 10−10.
• Each link output should have a Gaussian distribution with a mean of 100ns, and sigma no
more than 1.5ns (taken from Table 4.7).
Simple, but pessimistic extrapolation of these figures for the whole loop gives the following two
rules:
• Each loop should have an error rate better than 2.2× 10−9.
• Each loop output should have a Gaussian distribution with a mean of 100ns and a 6-sigma of
no more than 30ns.
The maximum reaction time of the detection circuits can also be defined by considering the
specified reaction time of the whole Beam Interlock System. It was shown in Chapter 3.1 that the
Beam Interlock System must react in approximately 100µs, a sensible reaction time of the
detection circuits should only be around 5-6% of this. So, one can observe the 10MHz frequency
on the permit loop for a maximum of around 5− 6µs to determine whether the frequency should
be considered TRUE or FALSE.
Table 4.8 shows the probability of n bit errors occurring within windows ranging from 1 to
6µs.
Window Length Window Rate Probability of n Bit Errors in Window
[µs] 10MHz Cycles [s−1] n = 1 n = 2 n = 3
1 10 1,000,000 2.1× 10−8 4.1× 10−16 6.9× 10−24
2 20 500,000 4.3× 10−8 1.7× 10−15 6.6× 10−23
3 30 333,333 6.4× 10−8 3.9× 10−15 2.3× 10−22
4 40 250,000 8.5× 10−8 7.0× 10−15 5.7× 10−22
5 50 200,000 1.1× 10−7 1.1× 10−14 1.1× 10−21
6 60 166,666 1.3× 10−7 1.6× 10−14 2.0× 10−21
Table 4.8: Probabilities of Glitch Occurence for sampling Windows from 1 to 6µs
The probabilities in this table can be converted into intervals by inversion and multiplication by
the window rate, giving Table 4.9 on the next page.
Considering that there are four loops for the two LHC Beam Interlock Systems means that the
mean time between events should be divided by four, the LHC is expected to operate for 4000
hours a year. Therefore at least two, if not three glitches should be tolerated by the frequency
detection circuits, statistically one mission every six years could be lost due to glitches on the
loops.
60 CHAPTER 4. BEAM INTERLOCK SYSTEM REALISATION
Window Length Window Rate mean Time Between n Bit Errors in Window
[µs] 10MHz Cycles [s−1] n = 1 n = 2 n = 3
1 10 1,000,000 5 seconds 78 years >4 billion years
2 20 500,000 5 seconds 37 years >900 million years
3 30 333,333 5 seconds 24 years >400 million years
4 40 250,000 5 seconds 18 years >200 million years
5 50 200,000 5 seconds 14 years >140 million years
6 60 166,666 5 seconds 12 years >96 million years
Table 4.9: Mean Time Between Glitch Occurences for sampling Windows from 1 to 6µs
A frequency detection window operates by counting the number of edges on a signal in a specified
interval, as the frequency initially has a 50/50 duty cycle both rising and falling edges can be
counted. Figure 4.22 shows a 2µs window, which should measure 40 edges if a 10MHz frequency is
present.
Figure 4.22: Counting the Edges of the Beam Permit Loop Signal During a Sampling Window
Figure 4.18 on page 57 showed that the jitter could be ±30ns, hence one should accept that the
first and last edges may not be captured in the sampling window, coupling this with the expected
glitches due to the error rate derives the Table 4.10.
Window Length Glitches Lower Tolerance Upper Tolerance Error[µs] 10MHz Edges in Window Edges Frequency Edges Frequency
1 20 3 13 6.5 MHz 27 13.5 MHz ±35%
1 20 2 15 7.5 MHz 25 12.5 MHz ±25%
2 40 3 33 8.3 MHz 47 11.7 MHz ±17%
2 40 2 35 8.8 MHz 45 11.2 MHz ±12%
3 60 3 53 8.8 MHz 67 11.2 MHz ±12%
3 60 2 55 9.2 MHz 65 10.8 MHz ±8%
4 80 3 73 9.1 MHz 87 10.9 MHz ±9%
4 80 2 75 9.4 MHz 85 10.6 MHz ±6%
5 100 3 93 9.3 MHz 107 10.7 MHz ±7%
5 100 2 95 9.5 MHz 105 10.5 MHz ±5%
6 120 3 113 9.4 MHz 127 10.6 MHz ±6%
6 120 2 115 9.6 MHz 125 10.4 MHz ±4%
Table 4.10: Specifying the FAST Detection Parameters
Choosing a sampling window of 5µs with a tolerance of two glitches gives a good reaction time, a
good resistance to spurious trips, and a frequency resolution of 10MHz ±5%. One erroneous
detection of BEAM PERMIT = FALSE every six years is perfectly acceptable for the operation of
the Machine Protection System.
The permit loop frequency must be verified with a precision better than ±5%, this can’t be done
in a short window, hence the detection needs to be divided into both FAST and SLOW circuits
operating in parallel.
4.2. BEAM PERMIT LOOPS 61
Figure 4.23: Beam Permit Loops with FAST and SLOW Detectors
The FAST detector measures over 5µs, whereas the SLOW detector can operate over a longer
interval of 100-1000ms to verify the frequency to better than 0.1%.
Window Length Lower Tolerance Upper Tolerance Error
[ms] 10MHz Edges in Window Edges Frequency Edges Frequency
100 2,000,000 1,998,000 9.99 MHz 2,002,000 10.01 MHz ±0.1%
1000 20,000,000 19,998,000 9.999 MHz 20,002,000 10.001 MHz ±0.01%
Table 4.11: Specifying the SLOW Detection Parameters
This dual detector solution is very robust, allowing 5% precision to be determined in 5µs, with
0.1% precision verified in 100ms. However, the SLOW detector must not always be taken into
account, for example millisecond bursts of BEAM PERMIT TRUE are needed for extraction and
injection operation, in this case SLOW detector does not have time to react. This leads to
particular requirements for the arming of the beam permit loops when a closed-loop is used.
4.2.8 Arming the Beam Permit Loop
The generator (CIBG) is the source of the permit loop frequency, to start operation the loops have
first to be armed. To do this GENERATOR ENABLE is set to TRUE, if all
LOCAL BEAM PERMIT signals are TRUE then the frequency will propagate and will be
observed back at the generator after a propagation delay. The generation of 10MHz is the
maintained until the BEAM PERMIT becomes FALSE. In the LHC the arm command is carried
out via GENERATOR ENABLE, a 500µs timeout is set in hardware to allow for the propagation
delay. In the ‘ring’ structures it is impossible to force the continuous generation of the 10MHz by
holding GENERATOR ENABLE TRUE.
Figure 4.24: Detailed Diagram of the Beam Permit Loop Frequency Generator
The verification of the received frequency is initially carried out only by the FAST detector, as the
500µs reaction time is not long enough for the SLOW detector to correctly determine the
frequency. A small state machine detailed in Figure 4.25 on the next page is implemented for the
arming of the loops.
62 CHAPTER 4. BEAM INTERLOCK SYSTEM REALISATION
Figure 4.25: Finite State Machine for the Arming of the Beam Permit Loop
The source of GENERATOR ENABLE can be configured to be a locally written software
command or an electrical input coming from the timing system, this means that it is possible to
have a timing event control the initialisation of the beam permit loops, a necessity in the SPS
where synchronisation would make it very difficult to have a software process involved. Conversely,
a GENERATOR DISABLE command can be issued to force the loop generation to stop, this can
also be selected as a software or hardware input. Only the rising edge of this disable signal is taken
into account.
In the open-loop configurations the continuous generation of frequency is forced by bypassing the
state machine, this gives independence from the General Machine Timing, and poses no danger to
the system safety. In the injection and extraction zones User Systems do not need to be aware of
the status of BEAM PERMIT, so no operational issues arise due to the continuous
generation.
Each generator has a BEAM PERMIT output which is TRUE when the returned frequency is
detected from the loop. This serves primarily for local debugging, but in the LHC it is foreseen to
connect the BEAM PERMIT of the beam-1 generator to the GENERATOR DISABLE of the
beam-2 generator and vice-versa. This gives operators the option of configuring the source of
GENERATOR DISABLE as hardware, in this case both LHC beams will be dumped
automatically when BEAM PERMIT for a single beam becomes FALSE.
Figure 4.26: Automatic Simultaneous Disarm of Both Beam Permit Loops in the LHC
4.2. BEAM PERMIT LOOPS 63
There is a frequency source for each Beam Permit Loop, clockwise and anticlockwise. These are
labelled as CIBG A for anticlockwise, and CIBG B for clockwise.
4.2.9 Other Detectors for BEAM PERMIT
The specification of the detection circuits described in the previous sections applies to both the
permit loop generator and those detectors that are implemented in the Beam Transfer systems. In
the LHC it is foreseen to add a set of independently designed detection circuits operating in
parallel to these circuits. In principle this prevents common mode failures that could cause
BEAM PERMIT to be read as TRUE when in fact it is FALSE. Figure 4.27 shows the beam
permit loop on the left hand side, which passes through the Beam Transfer system, here a pair of
detectors is ‘AND’ed to derive BEAM PERMIT. A third input to this AND gate is available,
originating from an independent detection circuit called the Tertiary Permit Unit (TPU).
Figure 4.27: Implementation of the Detector Circuits in the BT Systems, with Tertiary Trigger
Essentially the BEAM PERMIT is derived from a logical AND of the primary, secondary and
tertiary BEAM PERMITs. BEAM PERMIT can also be used to trigger other events, such as the
Post Mortem event sent by the timing system generator (CTG), which causes a full diagnostic
logging to be carried out by all the machine sub-systems once the beam has been removed from
the machine. The interconnection of beam interlock systems also requires that the
BEAM PERMIT from one system be used as a USER PERMIT of another, this tertiary trigger
unit can satisfy all of these requirements.
Figure 4.28: Using the Tertiary Permit
64 CHAPTER 4. BEAM INTERLOCK SYSTEM REALISATION
4.3 Beam Interlock Controllers
Beam Interlock Controllers act as local concentrators, taking many USER PERMIT signals to
create a LOCAL BEAM PERMIT which is used to enable or disable the retransmission of the
signal on the beam permit loop. A redundant architecture has been implemented to achieve the
required safety for the system, this means that a pair of LOCAL BEAM PERMIT signals A and
B are used to control the corresponding A and B permit loops.
A small matrix derives LOCAL BEAM PERMIT from the USER PERMIT signals, this is the
most critical function of the Beam Interlock Controller. Aside from this there are three non-critical
functions.
1. Transmit BEAM PERMIT INFO back to the User Systems.
2. Provide facilities for TESTs to be activated through a remote connection.
3. Provide MONITORING for remote supervision and diagnosis.
BEAM PERMIT INFO is a signal that is sent back to the User Systems representing whether the
Beam Interlock System is ready for beam operation, essentially this is TRUE only when
BEAM PERMIT A and B are both TRUE. BEAM PERMIT is determined in each controller by
observation of the beam permit loops to determine whether the 10MHz permit frequency is
present. The BEAM PERMIT INFO signal is not critical as a failure cannot lead to an unsafe
state. Generally User Systems implement the BEAM PERMIT INFO as a test inhibiter, checking
it before running internal test procedures. If it is FALSE, then the User System can assume that it
is safe to activate a test. Even so, before a routine is started the User System must pulse
USER PERMIT A and B to FALSE, this ensures that the Beam Interlock System sets
BEAM PERMIT is FALSE. In the tree architectures BEAM PERMIT INFO is not read back by
User Systems as BEAM PERMIT is only active for some milliseconds during a beam transfer.
Using BEAM PERMIT INFO in this case does not make sense as the software processes that
initialise test routines will take many hundreds of milliseconds to activate. The cost of a missed
extraction due to a User System being in test mode is minimal, in contrast to the loss of an LHC
physics fill due to a User System erroneously activating a self test sequence.
In the LHC User Systems can either interlock both LHC beams simultaneously, by using a
both-beam connection, or they can interlock LHC beam-1 and beam-2 independently via a pair of
connections, it follows that the BEAM PERMIT INFO transmitted to the User Systems
represents the BEAM PERMIT corresponding to the User System type.
BEAM PERMIT INFO BEAM PERMIT
B1 B2 B1B2 B1 B2
TRUE TRUE TRUE TRUE TRUE
TRUE FALSE TRUE TRUE FALSE
FALSE TRUE TRUE FALSE TRUE
FALSE FALSE FALSE FALSE FALSE
Table 4.12: Deriving BEAM PERMIT INFO from BEAM PERMIT
Figure 4.29 on the next page shows the basic layout of a pair of LHC Beam Interlock Controllers,
with the reception and transmission of the USER PERMIT and BEAM PERMIT INFO
signals.
In the case of the LHC there is a controller for each beam to the left and right of each Insertion
Region. Each controller is embedded in a VME chassis giving remote access for test and
monitoring. A single VME chassis contains a pair of controllers, a typical LHC pair is shown in
Figure 4.30 on page 66.
There are two key components of the Beam Interlock Controller, a Manager board (CIBM)
responsible for the critical functions of the controller, and a Test & Monitor board (CIBT) which
is responsible for the remote supervision and control of the distributed User Interfaces (CIBU).
The User Interfaces are connected to the controller by NE12 cables, the rear of the controller has
been fitted with a patch-panel (CIBPx) and extender boards (CIBEx) connecting these cables to
the user defined pins of the VME bus.
4.3. BEAM INTERLOCK CONTROLLERS 65
Figure 4.29: Creating BEAM PERMIT INFO for User Systems
In summary a VME Chassis can support:
1. Two Manager boards (CIBM) with displays (CIBMD) and two optical transceivers (CIBO)
for each controller.
2. Two Test & Monitor boards (CIBT) with displays (CIBTD).
3. One Safe Machine Parameters Receiver (SMPR) generating the Safe Beam Flags (SBF).
4. Six extension boards to interface the Manager, Test & Monitor and Safe Machine Parameters
Receiver cards to the Patch-Panel (4 x CIBEA and 2 x CIBEB).
5. One patch-panel (CIBPL or CIBPS) used to route signals between User Interfaces, Manager,
Test & Monitor and Safe Machine Parameters Receiver boards.
6. Two permit loop generators (CIBG) each with a pair of optical transceivers (CIBO) to be
installed at the start of the Beam Permit Loops.
7. A single or dual-redundant VME Power Supply Unit (VME PSU).
8. A single or dual-redundant VME Fan Tray (VME FAN)
9. One Power PC (PPC) with a single or dual timing Receiver (CTRP) for remote access and
synchronisation.
The Manager board is partitioned into critical and non-critical parts. The critical operations are
implemented in two Matrix CPLDs, the non-critical operations are implemented in a monitoring
FPGA. The patch-panel and extension boards serve as routing between the various parts of the
controller and the User Interfaces, they have no active components.
4.3.1 LHC and SPS Chassis Types
The LHC requires the possibility of interlocking two beams within a single chassis, this is not
required in those situations that have only a single beam. Two patch-panels are available that
allow a slightly different inter-connection of the sub-systems of the Beam Interlock Controller. The
LHC patch-panel, CIBPL, is shown in Figure 4.31 on page 67.
This means that a single LHC type VME chassis provides connections for the following User
Systems:
User System Connection Connected to BIC(s) Maximum Number Supported
beam-1 beam-1 6
both-beam beam-1 and beam-2 8
beam-1 beam-2 6
Total 20
Table 4.13: Break-Down of Connections to the LHC Patch-Panel
66 CHAPTER 4. BEAM INTERLOCK SYSTEM REALISATION
Figure 4.30: A Single LHC VME Chassis Housing Both Beam-1 and Beam-2 BICs
Modification of the patch-panel allows signals to be rerouted so that two independently operating
controllers can be accommodated in a single VME chassis. The SPS patch-panel, CIBPS, is shown
in Figure 4.32 on the facing page.
In this case each of the LEFT and RIGHT controllers can accept up to fourteen connections to
User Systems. The interlocking architecture is hardwired by socket and connector coding at the
input to the Beam Interlock Controllers, automated test sequences in software can be activated to
verify the links. The combination of hardware coding and software verification leads to a robust
and secure architecture that prevents simple errors from jeopardising the safe operation of the
LHC accelerator. Appendix E details the different combinations of socket and connector that are
possible.
4.3. BEAM INTERLOCK CONTROLLERS 67
Figure 4.31: Signal Routing through the LHC Patch-Panel (CIBPL) and Extension Cards
Figure 4.32: Signal Routing through the SPS Patch-Panel (CIBPS) and Extension Cards
68 CHAPTER 4. BEAM INTERLOCK SYSTEM REALISATION
4.3.2 USER PERMIT to LOCAL BEAM PERMIT
Redundant USER PERMIT signals are transmitted from User Interface to Manager. Two
independent matrices are implemented to derive LOCAL BEAM PERMIT, controlling the
opening and closing of the relevant permit loops. The LHC patch-panel routes the
USER PERMIT signals to the matrices as shown in Figure 4.33.
Figure 4.33: USER PERMIT to Beam Permit Loop Using the LHC Patch-Panel
The SPS patch-panel partitions the USER PERMIT signals to allow two controllers to operate
independently each connecting up to fourteen User Interfaces as shown in Figure 4.34.
Figure 4.34: USER PERMIT to Beam Permit Loop Using the SPS Patch-Panel
The non-critical operations of the Manager board are implemented in a monitoring device which
works alongside the matrices. It is clear that in all cases the operation of the critical paths only
depends on the matrices, neither the monitoring built into the Manager not the Test & Monitor
board are required for this function. Essentially it has been reduced to a clean and simple
path.
4.3. BEAM INTERLOCK CONTROLLERS 69
4.3.3 BEAM PERMIT to BEAM PERMIT INFO
The monitor device built into the Manager board is used to deriving BEAM PERMIT INFO from
the beam permit loops. In the LHC each Manager board can directly inform the User Interfaces
that are operating either on beam-1 or beam-2, as each manager board can observe the frequencies
on the locally connected beam permit loops. A logical OR has to be made of the
BEAM PERMIT INFO B1 and B2 signals to derive the value for the both-beam User Interfaces.
This is carried out in the Test & Monitor board connected to the beam-1 Manager. Figure 4.35
shows the LHC implementation of this.
Figure 4.35: BEAM PERMIT to LOCAL BEAM PERMIT Using the LHC Patch-Panel
The SPS implementation has an independent LEFT and RIGHT controller:
Figure 4.36: BEAM PERMIT to LOCAL BEAM PERMIT Using the SPS Patch-Panel
LEFT and RIGHT are not to be confused with “left and right of an insertion region” which
signifies two complete LHC VME Chassis in two separate locations. In this case the LEFT
Manager and Test & Monitor boards are used to drive BEAM PERMIT INFO for User Interfaces
connected to the LEFT controller. Equally the RIGHT boards drive BEAM PERMIT INFO to
the RIGHT User Interfaces. In each case the first six User Interfaces receive
70 CHAPTER 4. BEAM INTERLOCK SYSTEM REALISATION
BEAM PERMIT INFO directly from the Manager board, the remaining eight receive it from the
Test & Monitor board.
4.3.4 TEST and MONITOR
The Test & Monitor board acts as a relay between the Manager board and User Interfaces,
communicating with serially encoded data frames. In the LHC application the testing and
monitoring of the beam-1 and both-beam User Interfaces is carried out by the beam-1 Test &
Monitor board, beam-2 User Interfaces are tested and monitored by the beam-2 Test & Monitor
board. The LHC application of TEST and MONITOR is shown in Figure 4.37.
Figure 4.37: TEST and MONITOR Using the LHC Patch-Panel
In the SPS implementation the LEFT Test & Monitor board is used to dialog with the User
Interfaces connected to the LEFT controller, the RIGHT board considers those connected to the
RIGHT controller.
Figure 4.38: TEST and MONITOR Using the SPS Patch-Panel
4.4. THE MANAGER BOARD 71
4.4 The Manager Board
The Manager board is the main part of the Beam Interlock Controller, its central role is to derive
LOCAL BEAM PERMIT from the USER PERMIT input signals. This is carried out via a pair of
independent matrices A and B based in Complex Programmable Logic Devices (CPLDs). The
secondary role of the manager is to provide a remote supervision, testing and a log of events, this
is implemented in a monitoring Field Programmable Gate Array (FPGA) which synchronises to
the CERN timing system and gives data access via a VME bus.
The only parts of the Manager that are on the safety critical path are the matrices, therefore effort
has been made to implement robust designs in the CPLD fabric of each. The two matrices will be
designed by two different engineers following a design specification, they are also chosen to be
devices with slightly different characteristics to try and avoid common mode failures that could
circumvent the A and B redundancy for connected USER PERMIT signals. The monitor FPGA
has not been designed with safety constraints as a priority, it has been designed to meet the
functionality requirements of the controller for supervision and test.
The Manager contains some elements that are not part of this thesis:
• A VME bus interface and arbitration.
• Complete power supply and board decoupling.
• The possibility of remotely upgrading the monitor FPGA (NOT the matrices).
• A local RS232 serial data link.
Design choices that are pertinent to this thesis are:
• Matrix CPLDs A and B.
• Monitor FPGA.
• Configuration switches, jumpers and address decoding.
• Front panel display.
• Interconnections to LHC sub-systems.
The Manager board is designed to adapt to three other required implementations, in every case
the monitor FPGA carries out the same function, only the matrices are reprogrammed. This
means that each variant of the Manager can use the same driver and that the software can adapt
to the board type and show the correct information.
Extraction Master (CIBMM/CIBX)
The extraction master has almost exactly the same function as the ‘normal’ Manager. However in
this case the LOCAL BEAM PERMIT output of the matrix is not derived using a simple AND,
rather a combination of AND and OR circuits. This allows beam extraction from SPS to
accommodate the various destinations for the beam.
Permit Loop Generator (CIBMG/CIBG)
The Manager board also implements the generator board used at the start of each beam permit
loop. The generator does not need any RS485 connections, it uses only the monitor FPGA, the
matrices and the optical transceivers. There are three functions implemented in the monitor
FPGA when the CONFIGURATION indicates that the Manager board is configured as a
Generator:
1. External Start/Stop - An external signal, such as a timing event can start the generator.
Equally, an external signal can stop the generator when software configures the device to
accept an external start and stop.
2. Software Start/Stop - A software signal can be used to remotely start and stop the generator.
3. Forced Generation - The generator uses some of the LATCH signals (explained in Section
4.4.3) to allow the generator to be configured to generate constantly.
72 CHAPTER 4. BEAM INTERLOCK SYSTEM REALISATION
Permit Verifier (CIBMV/CIBV)
The permit verifier is a very simple device, it has no RS485 interfaces, and it always allows the
beam permit loop frequency to propagate, its role is to monitor the performance of the beam
permit loop and derive a BEAM PERMIT flag in a redundant manner, this device can be used as
a Tertiary Permit Unit.
The following sections explain the operation of the normal Manager board (CIBM) as used
throughout the Beam Interlock Systems. Figure 4.39 shows a basic block diagram of this
board
Figure 4.39: Block Diagram of the Manager Board with Matrix CPLDs and Monitor FPGA
4.4.1 Permits, Disabling & Permit Loop Signals
Figure 4.40 shows the signal flow through the matrices and monitor for the permits, disabling and
permit loop signals. Only a single matrix is shown, the signals are repeated for the second. Note
that feedback signals from the matrix to the monitor are not shown.
Figure 4.40: Routing of the Permit Signals in the Manager
The differential RS485 USER PERMIT signals are converted to TTL by MAX3440E transceivers
which give USER PERMIT and USER PERMIT FAULT, which must be considered
simultaneously to derive LOCAL BEAM PERMIT in the matrices. The monitor FPGA is
fed-back a copy of USER PERMIT and USER PERMIT FAULT which can be used to provide
remote supervision and a history of changes, a failure on these feed-back signals does not lead to
an unsafe state for the critical operation of the Beam Interlock System. The monitor FPGA
provides a SOFTWARE PERMIT signal that is considered as a fifteenth USER PERMIT input,
4.4. THE MANAGER BOARD 73
alongside the fourteen USER PERMIT signals. SOFTWARE PERMIT can be set and unset
remotely via ethernet and the Power PC, this allows more complex interlocking criteria to be
realised, that cannot be easily attributed to a single hardware system. The SOFTWARE PERMIT
can also be permanently set to TRUE by fixing a jumper in the SOFTWARE DISABLE position
on the Manager board.
As all fourteen USER PERMIT inputs to the matrix are seldom if ever always used, spare
channels have to be disabled by adding a USER DISABLE jumper in the correct position on the
board, which forces the associated USER PERMIT to be TRUE. This is a very dangerous
capability, and two steps have been taken to prevent dangerous operation:
1. Two separate banks of jumpers exist for the two matrices, so if one jumper is added by
accident, or a short is formed, it cannot put the controller in a dangerous state.
2. The jumper positions are read-back and compared to a database before the matrices are
permitted to operate. If the verification fails then the monitor FPGA prevents the matrices
from starting by holding a flag high. The physical positioning of the jumpers forces the
board to be removed from the chassis if the jumpers need changing, the verification is
retriggered once the Manager board is reinstalled in the chassis.
LOOP IN and OUT are the permit loop signals that interface with the optical transceiver.
LOCAL BEAM PERMIT which controls the opening and closing of the loop is also transmitted by
the matrix as a differential signal. This appears on a rear connector of the VME chassis, it can be
directly implemented as a USER PERMIT input allowing the tree structure to be realised.
4.4.2 Masking and the Safe Beam Flag
A section of the USER PERMIT signals can also be masked when a flag indicates that the energy
and intensity of the beam in the machine is below damage thresholds. This Safe Beam Flag is
transmitted to the Manager from the Safe Machine Parameters Receiver via the patch-panel and
extension boards using RS485, a differential receiver gives an indication of the state of the flag via
two signals SAFE BEAM FLAG and SAFE BEAM FLAG FAULT which must both be taken into
consideration to determine whether the safe beam flag should be considered TRUE or
FALSE.
For flexibility the flag can also be input to the system by front panel connectors, the flag source
has to be hardcoded as either rear or front, the monitor FPGA can read-back this coding to ensure
the source is correct.
The MASK that is to be applied to the USER PERMIT signals can be read and written remotely,
this gives operators flexibility when operating the machine at low intensity and energy. To
implement this seven MASK bits are sent from the monitor FPGA to each matrix CPLD. The key
signals for the complete implementation of the Safe Beam Flag are shown in Figure 4.41, feedback
signals to the monitor are not shown.
Figure 4.41: Routing of the Safe Beam Flag Signals in the CIBM
74 CHAPTER 4. BEAM INTERLOCK SYSTEM REALISATION
4.4.3 Latching and Arming
When the Beam Interlock System is implemented in a ring structure the LOCAL BEAM PERMIT
is held FALSE after a transition from TRUE to FALSE (LATCHING), it must be forced to rearm
after each operation. This is implemented so that the beam permit loops cannot be automatically
rearmed, and that the BEAM PERMIT cannot spuriously switch between TRUE and FALSE. On
the other hand, when the system forms a tree structure the LOCAL BEAM PERMIT output
usually takes the form of a series of TRUE windows only some milliseconds in length, in these
cases the signal is not latched and is free to oscillate from TRUE to FALSE as a simple function of
inputs.
Three signals are generated by the Manager and sent to each matrix concerning this process, these
are:
1. LATCH INIT - this is set when the board is first powered, it can only be released once the
position of the jumpers and configuration is verified. A rising edge on this signal triggers the
matrix to start operation, once this signal has transitioned to TRUE it is ignored until the
board is power cycled.
2. LATCH ENABLE - this bit informs the matrix whether it should wait for a rearm command
before allowing LOCAL BEAM PERMIT to transition from FALSE to TRUE.
3. LATCH REARM - the rising edge of this signal is used to rearm the latch in the matrix. If
the latch is not enabled then this signal is ignored.
These are transmitted via three signal lines shown Figure 4.42.
Figure 4.42: Routing of the Latch Signals in the CIBM
4.4.4 Fail-Safe Programming of the Critical Signals
The three Figures, 4.40 on page 72, 4.41 on the previous page and 4.42 show the implementation of
the critical signals in the Manager board that are sent as DC flags, the polarity of these signals has
been chosen to ensure that they are fail-safe.
Signal Name Polarity Failure Logic Description[High / Low] [TRUE / FALSE] of Default
USER PERMIT Active Low FALSE No Permit
USER PERMIT FAULT Active High TRUE Fault
USER DISABLE Active Low FALSE Enabled
SOFTWARE PERMIT Active Low FALSE No Permit
SOFTWARE DISABLE Active Low FALSE Enabled
LATCH INIT Active Low FALSE Initialisation Fail
LATCH ENABLE Active High TRUE Latch Enabled
LATCH REARM Active Low FALSE No Rearm
MASK Active Low FALSE User is Un-Masked
SAFE BEAM FLAG Active Low FALSE Beam is dangerous
SAFE BEAM FLAG FAULT Active High TRUE Fault
SAFE BEAM FLAG FP Active Low FALSE Beam is dangerous
LOCAL BEAM PERMIT Active Low FALSE No Permit
Table 4.14: Polarities and Failure Modes of the CIBM Critical Signals
The Beam Permit Loop signals LOOP IN and OUT are frequencies when they are TRUE, this
4.4. THE MANAGER BOARD 75
means that the relevant signals do not need to be programmed to have a failure polarity as a
stuck-at level will always be considered FALSE.
4.4.5 Matrix CPLDs
The basic electrical diagram of the matrix is shown in Figure 4.43, in addition to the signals that
have already been presented are those less critical signals shown in green which serve non-critical
functions of the matrix. The A and B matrices both have the same function, so the circuits shown
here are doubled on each Manager board.
Figure 4.43: Matrix Electrical Block Diagram
The functionality of the matrix is is described in Very High Speed Integrate Circuit Hardware
Description Language (VHDL) which is then synthesised and converted to a configuration bit
stream that can be loaded into the CPLD through a serial connection (JTAG). In total the matrix
has over 100 connected signals, of these only around 60 are considered critical for the operation of
the Manager.
The device used to implement the matrix is an XC95288XL CPLD from Xilinx, having 5 Volt
tolerant input and output structures. This device has a very high Mean Time Between Failures
(MTBF) [98] and a very good resistance to the effects of atmospheric neutrons [99], both of which
are important for safety critical design.
In addition to the fail-safe implementation of the differential transceiver sections, the design is
implemented so that spare device pins ensure fail-safe due to short circuits. Shorts between
neighbouring pins that can appear due to foreign conductive material touching the device will
always lead to a safe state. It has already been observed that foreign conductive material can lead
to short circuits between device pins [100] and the use of lead-free components infers a phenomena
called ‘Tin Whiskers’ that can lead to short circuits naturally occurring due to tin growth between
neighbouring pins [101].
To demonstrate the effectiveness of the fail safe pinning, consider Figure 4.44 on the following page
showing three USER PERMIT signals programmed onto even numbered pins with V +
programmed on odd pins. Any short across these pins results in USER PERMIT being logic ‘1’,
i.e. FALSE. This would create a large fault current if the pin was being driven low by the
MAX3440E transceiver, this current would not pass through the matrix, but could potentially
destroy the transceiver. Despite the destruction, this failure is safe in that the Beam Interlock
System could not issue an erroneous BEAM PERMIT TRUE signal.
76 CHAPTER 4. BEAM INTERLOCK SYSTEM REALISATION
Figure 4.44: An Example of Fail Safe Routing in an XC95288XL
These principles have been applied to the whole device, with spare pins programmed so that shorts
lead to the fail safe conditions defined in Table 4.14 on page 74. A so-called Flat Pack chip has
been chosen (HQ208) Ball Grid Array (BGA) technology is available as an alternative, but the
two-dimensional layout means protection against neighbouring shorts using this technique is
unfeasible.
Deriving LOCAL BEAM PERMIT
The fundamental conversion of USER PERMIT and USER PERMIT FAULT into
LOCAL BEAM PERMIT is done in five very simple stages, with the sixth stage being the beam
permit loop switch, Figure 4.45 shows these.
Figure 4.45: Six Stages Inside the Matrix CPLD
Considering all of the USER PERMIT channels leads to Figure 4.46 on the next page showing a
complete block diagram of the matrix internal architecture.
The critical signals are shown in orange, non critical are green and system-level signals are shown
in black. Note that the failure of RESET cannot lead to an unsafe state, but the failure of
CLOCK is quite peculiar. If the system clock should stop oscillating then the matrix will operate
with the last input values it had, since the SWITCH block is purely combinational
LOCAL BEAM PERMIT would stick, and the SWITCH block would either maintain the beam
permit loop closed or open. It could be considered that reclocking the beam permit loop frequency
would remove this potential error, but that would have two dangerous side-effects:
1. Jitter - The global clock operates at 40MHz, oversampling the 10MHz permit loop frequency
only four times. Since the phase alignment of the sampling clock and the permit loop
frequency cannot be predicted the retransmission of the 10MHz could incur an error of 25ns
in every repetition stage, unacceptable considering the LHC may have seventeen stages. An
oversampling many orders of magnitude higher would need to be implemented if the beam
permit loop were to be synchronised at each stage, such a high-speed is unrealistic in a
CPLD structure.
2. Single Generator - The principle of the beam permit loops relies on a single source of
frequency for the whole loop, implementing a local resynchronisation at each stage breaks
this rule somewhat. Having a clock in control at every matrix, despite the fact it is a
different frequency to the beam permit loop, must be considered to lead to more dangerous
failure modes involving multiple controllers.
To protect against this the monitor FPGA observes the behavior of the matrices, and simulates
their operation. If the CLOCK were to stop oscillating this would be detected. The supervision
software would read the mismatch between predicted and actual values and alert operators via the
supervision screens.






























78 CHAPTER 4. BEAM INTERLOCK SYSTEM REALISATION
The five stages of the conversion from USER PERMIT to LOCAL BEAM PERMIT are all
designed to be small and effective, the following sections detail the operation of each.
Synchronise
The design of the matrix is fully synchronous, every black-box shown in Figure 4.46 on the
preceding page is registered. The first stage is a simple synchronisation that samples the input
signal with the CLOCK, as the resources of the CPLD are limited this stage is a single D-Type
flip-flop. Metastability issues usually require up to three successive register stages to be
implemented [102], it is impractical to use such a large portion of the CPLD resources simply for
this, as the delay of an input by a single cycle is not dangerous for the operation of the machine.
This ‘synchronise’ block converts all of the active low signals to active high, so designers can
consider all internal signals as active high.
Filter
The ‘filter’ has two stages, the first is combinational, considering USER PERMIT and
USER PERMIT FAULT to determine whether the user permit channel should be considered
TRUE or FALSE. A transition from TRUE to FALSE triggers a six bit down-counter, which runs
for 64 ticks of the 40MHz clock. Whilst the counter is running the output of the FILTER is forced
to TRUE, this means that any transition lasting less than 1.6µs will be filtered. Using a
down-counter and a value of 2n for the terminal count creates a more resource effective circuit for
CPLD implementation. The counter is retriggerable, so any frequency or transition bursts can
result in the filter being active indefinitely. This is a potentially dangerous effect. To combat this
both the number of glitches and the glitch rate is recorded in the monitor, supervision software
reads these values and alerts operators to unusual characteristics.
Mask
The filtered USER PERMIT is then passed through a ‘mask’ block where the signal is forced to
TRUE when the relevant mask is TRUE and the Safe Beam Flag indicates that the beam in the
machine is not dangerous. The mapping of the MASK bit to the USER PERMIT is quite
particular. A partition of both the signals from User Systems interlocking the LHC beams
independently (i.e. single-beam users) and those that interlock the beams simultaneously
(both-beam users) are maskable.
USER PERMIT User System Input Maskable? MASK BitChannel Type and Number
1 single beam 1 NO -
2 single beam 2 NO -
3 single beam 3 NO -
4 both beam 1 NO -
5 both beam 2 NO -
6 both beam 3 NO -
7 both beam 4 NO -
8 single beam 4 YES 1
9 single beam 5 YES 2
10 single beam 6 YES 3
11 both beam 5 YES 4
12 both beam 6 YES 5
13 both beam 7 YES 6
14 both beam 8 YES 7
Table 4.15: Mapping a MASK to a USER PERMIT
4.4. THE MANAGER BOARD 79
Disable
The ‘disable’ block forces a USER PERMIT to be considered TRUE when the relevant
USER DISABLE bit is set, this can be implemented as either a simple two-input gate, or
multiplexer structure.
Matrix
The ‘matrix’ block is the central function of the matrix, it considers the fourteen USER PERMIT
signals from the ‘disable’ blocks along with the SOFTWARE PERMIT signal. Essentially, if all
are TRUE then LOCAL BEAM PERMIT is set to TRUE. A small structure uses LATCH INIT to
force the LOCAL BEAM PERMIT to FALSE until the power on verification is signalled as
complete by the monitor FPGA, the signals LATCH ENABLE and LATCH REARM are also used
to configure the ‘matrix’ as either free running, or dependent on the monitor FPGA for a rearm
after each trigger.
Switch
The ‘switch’ block either permits or inhibits the propagation of frequency on the beam permit
loop, it also ensures that the inversion of the permit loop signal is carried out. If LATCH ENABLE
is TRUE then the switch is a simple AND gate, however if LATCH ENABLE is FALSE the switch
becomes an edge triggered memory element. The implementation of the memory element is
required to prevent an oscillating LOCAL BEAM PERMIT from creating a frequency on the
permit loop. The simple AND-gate is shown in Figure 4.47, the more complex memory element
consists of a pair of D flip-flops and three XOR gates, this is shown in Section 5.4.2.
Figure 4.47: Simple AND Gate, with False Frequency Propagation
The memory element cannot change state unless the beam permit loop does so. It has the
drawbacks of being much larger, and having higher jitter than the simple AND gate, both of which
are exacerbated by its implementation in a CPLD. The conclusions of this thesis discuss whether
the memory element switch should be replaced by the simple AND gate in the understanding that
the beam permit loop might be seen to change state as a function of the LOCAL BEAM PERMIT
signal.
Decoding the Safe Beam Flag
The Safe Beam Flag that is used in the ‘mask’ block is received from either a front or rear
connection to the Manager board, to select the source the CPLD is hardcoded, a signal
SAFE BEAM FLAG SOURCE MON informs the monitor of the programmed source.
SAFE BEAM FLAG SOURCE MON Safe Beam Flag is taken from
Logic ‘1’ Front panel
Logic ‘0’ Rear differential connection
Table 4.16: Decoding the Source of the Safe Beam Flag
When the flag is read from the differential connection at the rear of the chassis the condition of
both SAFE BEAM FLAG and SAFE BEAM FLAG FAULT have to be considered to determine
the logical value of the flag. The monitor FPGA receives a copy of both the flag and the fault
signal. If the source is programmed as the front panel then the fault signal sent to the monitor is
always FALSE, as there is no fault detection possible when using the single-ended front panel
connection.
80 CHAPTER 4. BEAM INTERLOCK SYSTEM REALISATION
Reset, Configuration and Version
The final sections of the CPLD design to be discussed are those that consider the configuration of
the matrix. Three CONFIGURATION bits are implemented to indicate the expected matrix
function, if the programming implemented in the device does not match the CONFIGURATION
bits programmed on the card the matrix is forced into the reset state. Eight VERSION bits are
also implemented, this allows the monitor FPGA to determine the matrix type and revision.
VERSION Bit 7 6 5 4 3 2 1 0
Value Matrix Type Matrix Revision
Table 4.17: Breakdown of the VERSION Bus





xE Permit Loop Verifier
xF FAULT
Table 4.18: Valid Values of the Upper Nibble of the VERSION Bus
Zero-Ohm resistors set the relevant CONFIGURATION bits to ’0’, open circuit leaves the bit at
’1’. The eight combinations are shown in Table 4.19.
CONFIGURATION Type Bit 2 Bit 1 Bit 0
Normal 1 1 1 None mounted
Generator (generic) 1 1 0 R0 mounted
Extraction Master 1 0 1 R1 mounted
Permit Loop Verifier (generic) 0 1 1 R2 mounted
Generator (beam-1) 1 0 0 R1 and R0 mounted
Generator (beam-2) 0 1 0 R2 and R0 mounted
Permit Loop Verifier (beam-1) 0 0 1 R2 and R1 mounted
Permit Loop Verifier (beam-2) 0 0 0 R2, R1 and R0 mounted
Table 4.19: CONFIGURATION of the Expected CIBM Matrix Type by Soldered Resistors
Beam-1 and beam-2 devices are used in the LHC, whereas the generic devices can be used
anywhere in the CERN accelerator. If the CONFIGURATION does not match the programmed
mode then the the upper nibble of VERSION changes to x‘F’, the lower nibble shows the
programmed operational mode that was expected. This cross-check of programmed version and
resistors is carried out by the reset controller circuit in the matrix, essentially this holds the reset
of the matrix TRUE if there is any problem with the CONFIGURATION. The reset controller
also synchronously released the asynchronous reset to the whole of the device, eliminating some
sporadic problems that are possible when asynchronous reset is used [103].
Frequency Detection and Outputs
For local diagnostics a ‘frequency detection’ block is also implemented to determine whether
BEAM PERMIT is TRUE or FALSE. This detector uses the FAST DETECT parameters that
were described in Section 4.2.7 on page 59. This drives both LEDs and front panel outputs
allowing local supervision and diagnostics to be carried out without invasive probing of signals on
the Manager board. The special case of LHC BEAM PERMIT being required as an input to
another controller can also be achieved using this front panel BEAM PERMIT output. The
creation of BEAM PERMIT INFO can either be done by the monitor FPGA using these signals
directly, or by independent ‘frequency detectors’ implemented in the monitor FPGA using the
beam permit loop frequencies.
4.4. THE MANAGER BOARD 81
4.4.6 Monitor FPGA
The monitor FPGA is the only device in the Beam Interlock Controller that has a VME bus
interface, making it the centre for remote supervision and testing of the controller. The basic
function of the monitor FPGA is to supervise the operation of the matrices, and to log events in a
history buffer synchronised to the CERN General Machine Timing. The block diagram of the
monitor FPGA is shown in Figure 4.48.
Figure 4.48: Input and Outputs of the CIBM Monitor
Internally the design of the monitor FPGA is relatively simple, it contains four main
sections:
1. A VME Bus Interface - a simple interface without interrupt capability. For more
information concerning the implementation of the VME bus consider references [104] and
[105].
2. Interface to the Manager board (CIBM Interface) - translating the signals from the
board and storing them in the internal memory, it also drives various output signals
corresponding to values stored in the status memory. Some more complex functions are
included here, such as frequency detection and matrix simulation to provide a more detailed
account of the controller operation.
3. Interface to the Test & Monitor board (CIBT Interface) - consisting of a parallel to
serial encoder and serial to parallel decoder making a redundant, full-duplex communications
link between Manager and Test & Monitor boards.
4. History Buffer - storing a log of events timestamped to within one microsecond of the
CERN timing system.
Figure 4.49 on the following page shows the internal layout of the monitor FPGA
82 CHAPTER 4. BEAM INTERLOCK SYSTEM REALISATION
Figure 4.49: Basic Block Diagram of the Monitor FPGA Internal Architecture
Figure 4.50 shows a detailed view of the interface to the Manager board that is implemented in the
monitor FPGA.
Figure 4.50: Basic Block Diagram of the CIBM Status Memory
The statuses of all supervised input and output links connected to the board are stored and can be
read, this includes all of the matrix input and output signals, as well as the serial and DC links
between the components that make up the controller. The VHDL code versions of the two
matrices, the monitor FPGA and the two FPGAs that are implemented on the Test & Monitor
board (see Section 4.5 on page 87) are also available.
4.4. THE MANAGER BOARD 83
Setting the VME Address
Before any software can access the board it must have an address. Address selection has to be
consistent to ensure that different combinations of Manager boards can operate in the same VME
chassis without conflicting. The CONFIGURATION bus, and a hardcoded status bit indicating
the position of the Manager board (CIBM ID), are used to determine the board address.
Type CONFIGURATION CIBM ID Base Address
Normal 111 1 (LEFT/Beam-1) x120000
Normal 111 0 (RIGHT/Beam-2) x140000
Extraction Master 101 1 (LEFT/Beam-1) x160000
Extraction Master 101 0 (RIGHT/Beam-2) x180000
Generator (Generic) 110 x x1A0000
Generator (Beam-1) 100 x x1C0000
Generator (Beam-2) 010 x x1E0000
Permit Loop Verifier (Generic) 011 x x200000
Permit Loop Verifier (Beam-1) 001 x x220000
Permit Loop Verifier (Beam-2) 000 x x240000
Table 4.20: Define the Monitor FPGA Base Address
Any valid combination of boards implemented in a VME chassis will be automatically
accommodated as the address selection is completely automated. There is an extra device that has
access to the VME bus embedded on each Manager board, this is a small CPLD used for remote
reprogramming of the monitor FPGA, it also obtains an address from these bits.
Matrix Simulation
Both the input and output signals of the matrices are stored in memory, simulation of the matrix
behaviour is implemented to verify the matrix operation in real-time. A flag is set if there is any
discrepancy between the simulator and actual value, software can then alert operators to the
mis-match.
Permit Loop Frequency Detection and Monitoring
The beam permit loop frequencies on LOOP IN and OUT for A and B are monitored by
detector circuits. In addition to determining the logical value of BEAM PERMIT, the detectors
record some basic frequency statistics. The loops are monitored, giving the average frequency,
shortest and longest period observed. The number of glitches that have occurred since the board
was powered is also recorded, this is interpreted by the supervision software to give the Bit Error
Rate of the beam permit loops, and is ultimately used to determine whether they are operating
within specification. This part of the monitor FPGA also determines whether the frequency on the
beam permit loop is correct by giving two signals, FAST DETECT and SLOW DETECT.
Figure 4.51: Frequency Detection and Monitoring Block Inside the CIBM Monitor
Driving BEAM PERMIT INFO
The FAST DETECT outputs of the frequency detectors on LOOP OUT A and B are considered
together to give BEAM PERMIT INFO. These are transmitted from the Manager board to the
84 CHAPTER 4. BEAM INTERLOCK SYSTEM REALISATION
single-beam User Interfaces (see Table 4.15 on page 78) and are sent to the Test & Monitor board
using Triple Mode Redundancy (TMR). These three signals labelled A, B and C are increase the
availability of the system at virtually no cost - the extra pins would otherwise be left unused. The
termination of the RS485 links has been implemented so that both Test & Monitor boards
installed in a single chassis can use these same signals without any signal integrity issues.
Figure 4.52: Driving the BEAM PERMIT INFO signals
BEAM PERMIT INFO can also be forced from FALSE to TRUE (but not vice-versa) by a
software command, this allows the BEAM PERMIT INFO links to be completely tested on
demand.
Latching
Three bits of information are written into the monitor FPGA to set the latches for each matrix:
LATCH ENABLE, INIT and REARM.
LATCH INIT is set by the supervision software after the versions, configurations and local jumper
settings have all been verified as correct by comparing them to expected settings stored a
database.
LATCH ENABLE is set as a function of the Manager board and patch-panel types. The
patch-panel is identified by a single bit (CIBP ID) hardcoded into the used defined pins of the
VME bus. The ‘normal’ Manager board has LATCH ENABLE set to TRUE only when the device
is attached to an LHC patch-panel.
LATCH REARM is set and reset by the supervision software, every version of the Manager can
have this value written, but only the ‘normal’ Manager in the LHC and the generator boards use
LATCH REARM.
Software Permit and Masking
SOFTWARE PERMIT can be set and reset via the VME Bus, but if the SOFTWARE DISABLE
jumper is TRUE then the value written to the Manager through the VME is ignored and the
SOFTWARE PERMIT is always set to TRUE. The MASK bits can also be set and reset via the
VME bus.
Test & Monitor Status Memory
Figure 4.53 on the facing page shows the status memory concerning the Test & Monitor board. In
this case the upper half of the memory is written to by the VME, containing TEST information
that will be encoded and sent to the Test & Monitor board. The lower half contains MONITOR
data that is decoded from the Test & Monitor board and is then made available to be read
through the VME.
4.4. THE MANAGER BOARD 85
Figure 4.53: Block Diagram of the CIBT Status Memory
Four full duplex serial links are implemented between the Manager and the Test & Monitor board.
Two TEST channels, A and B, pass TEST data, similarly two MONITOR channels A and B
transmit MONITOR data, the A and B links are dual redundant. Decoder circuits can detect
decoding errors or a broken channel and can switch between the two, when this happens a flag is
set in the monitor FPGA which can be read back by supervision. Two separate and coherent bytes
of data must be written into two separate addresses in the Manager to start a TEST, the encoders
read all the TEST registers, continually encoding the data and transmitting it to the Test &
Monitor board.
Figure 4.54: Dual Redundant TEST and MONITOR Links Between the CIBM and CIBT
History Buffer
Figure 4.55 shows the basic layout of the History Buffer. A small circuit timestamps changes to
1µs precision and logs them in a memory.
Figure 4.55: Block Diagram of the History Buffer
There are several events that can create a log in the history buffer:
86 CHAPTER 4. BEAM INTERLOCK SYSTEM REALISATION
1. Matrix input changes - the matrix simulators implement the glitch filters in exactly the
same way as the matrix CPLDs. A change in the USER PERMIT value that occurs after
these is logged.
2. Local beam permit changes - the value of LOCAL BEAM PERMIT is read back from
the matrices, if this changes then a log is created.
3. Beam permit changes - the FAST DETECT and SLOW DETECT outputs of the
frequency detect circuits trigger a log when they change.
4. Safe Beam Flag changes - any change in the SAFE BEAM FLAG creates a log, this
includes the FAULT signal.
5. Mask changes - any changes in the MASK setting are logged.
6. Latch changes - operator requests for a REARM or setting of INIT are logged.
There are almost one hundred different records that can be created by the logging process, these
are described in Appendix D. In the LHC the generation of logs will be extremely slow, as the
Beam Interlock System will only record events at the start and end of a mission when the system
is being armed and disarmed. A large 4096-byte buffer is implemented, this is required for the
transfer line applications where some hundreds of records can be created per cycle as the Beam
Interlock System toggles BEAM PERMIT TRUE and FALSE. The monitor FPGA has to be able
to assemble the record of changes synchronised to the microsecond so parallelism is used to create
the history buffer.
These logged events are the minimum required for the supervision of the system by operators,
there are also some other events that can be logged but are not useful for basic operation, only for
advanced diagnosis.
4.4.7 Manager Display (CIBMD)
The monitor FPGA also connects around 40 signals to a perpendicular front panel display. The
display shows the current status of the Manager board inputs.
• USER PERMIT signals are shown as either a red or green LED, these are triggered by a
monostable so that even a small glitch results in the LED flashing for at least 100ms.
• The MASK setting is also shown, with an orange LED illuminating beside the relevant
USER PERMIT when the MASK is active.
• SAFE BEAM FLAG A and B are both shown as green LEDs, illuminated when TRUE.
• A single orange LED illuminates when the VME signal ‘data acknowledge (DTACK)’ is
TRUE, this happens when the board is being accessed. This is also fitted with a monostable
to ensure that the LED is illuminated long enough to be visible.
The small display has 70 LEDs to show all of these signals, a basic outline is shown in Appendix
M.
4.5. TEST & MONITOR BOARD (CIBT) 87
4.5 Test & Monitor Board (CIBT)
The Test & Monitor board is used primarily to provide remote testing and monitoring of the User
Interfaces connected to the Beam Interlock Controller. It also drives BEAM PERMIT INFO for a
sub-set of the User Interfaces. The Test & Monitor board transmits serialised information between
itself and the Manager and User Interfaces, using full-duplex Manchester encoded data channels
called TEST and MONITOR. Figure 4.56 shows the set-up of these links, orange signals are
related to MONITOR data and green to TEST data.
Figure 4.56: Communication Link Parameters for CIBT Channels
The long distance links use single byte frames at 62.5kHz, framing, synchronising and parity leads
to a bandwidth significantly less than this, as only five bytes of information need to be transmitted
at an interval of around one Hertz it is more than adequate. The short links use quad byte frames
at a fundamental frequency of 250kHz, again this is more than required, as just 120 bytes are
transmitted at an interval of two or three Hertz.
A display is driven by a ‘display driver FPGA’ and a ‘serial communications FPGA’ carries out
the more important TEST, MONITOR and BEAM PERMIT INFO functions.
Figure 4.57: Expanded Block Diagram of the CIBT
88 CHAPTER 4. BEAM INTERLOCK SYSTEM REALISATION
4.5.1 Manchester Encoded Frame Format in the Beam Interlock
System
Manchester encoded frames are used throughout the Beam Interlock System, encoder and decoder
circuits have been designed that provide a robust communications channel with only a small
amount of logic. Manchester encoded frames use a two bit edge based encoding, with a rising or
falling edge representing a transmitted logic ‘0’ or ’1’, this effectively reduces the link bandwidth
to half of the encoding frequency, but has the advantage of good clock recovery and decoding.
Figure 4.58 shows the bit format used in the Beam Interlock System.
Figure 4.58: Transmission Through the CIBT
The quad or single byte frames are based on the same structure, with the payload being increased
for the quad byte version. Single and quad frames are shown in Figures 4.59 and 4.60.
Figure 4.59: Single Byte Manchester Encoded Frame
Figure 4.60: Single Byte Manchester Encoded Frame
The basic transmitted frame breaks down into four sections:
Name Size Value Purpose[ME Bits] [Logic]
Code Violation 1.5 line low Framing synchronisation
Preamble 3 1,1,1 Receiver sampling clock synchronisation
Start Bit 1 0 Receiver sampling clock synchronisation
Payload 9 or 36 DATA & PARITY 1 or 4 Bytes of DATA with PARITY bits
Table 4.21: Manchester Encoded Single / Quad Byte Frame Format
Encoder
The encoder is based on loadable shift register which has been optimised to fit neatly into the
limited resources of CPLDs. A generic block has been developed that allows the number of bytes
in the payload to be selected during synthesis, this generic takes any positive integer value, so for
4.5. TEST & MONITOR BOARD (CIBT) 89
the single byte transmission it is set to one, for quad byte to four, and so on. A second integer
generic sets the encoding frequency as a function of the device clock frequency, this determines the
interval for the shift. Figure 4.61 shows the implementation of the encoder.
Figure 4.61: Manchester Encoder Block Diagram
The input bytes are converted into Manchester encoded data with parity by a simple
combinational path, this is loaded into the shift register when a flag goes high, the register sets a
second flag when it is empty.
Decoder
The decoder consists of a simple state machine which controls the decoding process by aligning the
decoder clock, sampling the incoming data and validating it, and a shift register which stores the
decoded data. The number of bytes in the incoming data packets is set by a generic, as is the
encoding frequency.
Figure 4.62: Manchester Decoder Block Diagram
To start with the circuit waits for the code violation, preamble and start-bit to appear
consecutively on the link, during this time it synchronises the sampler to the centre points of the
incoming data. Following this the sampler runs freely, storing incoming data bit by bit into a shift
register. Once the register is full the data is checked for code violations and parity errors, if the
validation is successful a ready flag is set, if not an error flag is raised.
Simulations and VHDL for the Manchester encoder and decoder can be found in Appendix L on
page 219.
4.5.2 BEAM PERMIT INFO
The Test & Monitor board receives three BEAM PERMIT INFO signals A, B and C as DC flags
from each of the Manager boards. The RS485 receivers are implemented as shown in Figure 4.63
on the following page.
90 CHAPTER 4. BEAM INTERLOCK SYSTEM REALISATION
Figure 4.63: Implementation of the CIBT BEAM PERMIT INFO Circuits
A simple circuit decodes the logic BEAM PERMIT represented by each set of three flags by
majority vote.
A B C Output
TRUE TRUE TRUE TRUE
TRUE TRUE FALSE TRUE
TRUE FALSE TRUE TRUE
TRUE FALSE FALSE FALSE
FALSE TRUE TRUE TRUE
FALSE TRUE FALSE FALSE
FALSE FALSE TRUE FALSE
FALSE FALSE FALSE FALSE
Table 4.22: Majority Voter Truth Table
The BEAM PERMIT for the beam-1 side is ‘OR’ed with that of the beam-2 to give the value of
BEAM PERMIT that is to be applied to the User Interfaces. Only the beam-1
BEAM PERMIT INFO signals are terminated, the multidrop nature of RS485 is exploited to give
the correct termination in both the SPS and LHC chassis. Appendix I on page 199 details the
differences in the implementations.
4.5.3 Serial Communications FPGA
The Serial communications FPGA carries out the main function of the Test & Monitor board,
multiplexing and demultiplexing serial data transmitted between the Manager and User Interfaces.
The FPGA receives a pair of signals TEST A and B from the Manager, containing Manchester
encoded TEST data which is parsed and written to a memory. This is then read out by fourteen
Manchester encoders, each connected to a User Interface.
MONITOR data is received from each User Interface, this is decoded and placed in memory which
is in turn re-encoded and sent to the Manager via MONITOR A and B as a dual-redundant
link.
Matched encoder and decoder circuits are implemented in the User Interface and Manager, all
based on the same Manchester encoded data, running with either single or quad byte transmission,
at either 62.5 or 250kHz. Figure 4.64 on page 92 shows the basic function of the serial
communications FPGA with the paths of the TEST and MONITOR links.
4.5. TEST & MONITOR BOARD (CIBT) 91
4.5.4 TEST Data
The User Interface has TEST data written to it that can put it into three different modes of
operation:
1. Operation - No testing is being requested
2. Test - Either USER PERMIT A or B can be forced TRUE, the channel that is not forced
TRUE is forced FALSE.
3. Reset - The programmable logic on the CIBU is reset, this doesn’t interrupt operation.
Two four-byte TEST frames are sent from the Manager to the Test & Monitor board for each User
Interface. The data is restructured and is sent as four single-byte frames to the User Interface.
The Test & Monitor board simply relays the TEST data given by the Manager board to the
correct User Interfaces, the actual transmission path is simple as shown in green in Figure 4.64 on
the next page. More information concerning the actual structure of the TEST frames can be found
in Appendix D on page 161.
The TEST philosophy is very simple, only one of the channels ‘A’ and ‘B’ can be set to TRUE at
any one time, the other channel is forced FALSE. This allows a complete testing of the Beam
Interlock System from every USER PERMIT through to BEAM PERMIT. The final connection to
the User System is to be tested using an external software that is capable of forcing
USER PERMIT at the User System level.
4.5.5 MONITOR Data
MONITOR data is handled in a similar way to that of the TEST data, this time the source of
information is the User Interface, with the Manager being the ultimate destination. The Test &
Monitor board acts as a relay for this information, simultaneously receiving MONITOR data from
up to fourteen User Interfaces, and retransmitting this to the Manager. The internal status of the
Test & Monitor board is also transmitted to the Manager, combining this status registers in the
Manager itself gives a complete supervision for all the RS485 links implemented in the Beam
Interlock Controller.
4.5.6 Display Driver FPGA and Test and Monitor Display
(CIBTD)
The second FPGA on the Test & Monitor board is dedicated to running a small display that is
fixed to the front of the board. The display consists of twenty rows each having seven LEDs,
making 140 in total. Each LED is driven by an output of the FPGA who simply decodes the
monitor data and displays it. The MONITOR information from the fourteen User Interfaces is
displayed, as are the statuses of the BEAM PERMIT INFO, TEST and MONITOR links to and
from the Manager boards. The layout of the display is shown in Appendix M.





































4.6. THE INTERFACE TO THE USER SYSTEMS (CIBU) 93
4.6 The Interface to the User Systems (CIBU)
The User Systems are given a User Interface (CIBU) to connect to the Beam Interlock System. A
single homogeneous interface is used to connect to the numerous types of User System having
different hardware platforms and various operating Voltages. This approach leads to a system that
is easy to install and maintain, as no differentiation has to be made between User System types,
only in their interlocking architecture. Those User Systems that interlock the LHC beam’s
independently are given a Double-Interface (CIBUD). The User Systems that interlock both LHC
beams simultaneously are given a Single-Interface (CIBUS). In addition to the LHC both-beam
systems, the Single-Interface is used in all the situations where only a single beam is to be
interlocked.
Using the Double-Interface decreases the overall complexity of the system, as only a single
hardware unit is supplied to the User Systems, and it allows for the beam-1 and beam-2 connectors
to be different. The descriptions following in this section relate to the design of a Single-Interface,
interlocking a single beam. A block diagram of this is shown in Figure 4.65.
Figure 4.65: Block Diagram of the User Interface (CIBU)
The Interface relays three Boolean signals from User System to Beam Interlock Controller:
USER PERMIT A, B and BEAM PERMIT INFO. The key platforms and operational voltages of
the User Systems as shown in Table 4.23.
User System Basis Operating Voltage Speed of Response Permit Change Time[Volts] [Relative]
PLC 24 Slow ≈ 1-10ms
VME 5 Fast ≈ 1-10µs
Table 4.23: Basic Categories of User System in the CERN Accelerator Complex
To connect to these User Systems, a simple current loop has been implemented for the input
circuits, and BEAM PERMIT INFO is repeated back to the User System via a simple optocoupler
with a transistor output. The signals passed through the User Interface are internally conditioned
by adding a small hysteresis to the edges, this reduces the chances of spurious changes and noise
whilst input voltages cross through undefined regions. The interconnection from controller to
Interface is entirely based on RS485 differential signal transmission, this provides fail-safe
communications up to 1200m. A full-duplex RS485 link, TEST and MONITOR, is established
with a dedicated Programmable Logic Device to allow for remote supervision and testing. A Xilinx
XC9500 CPLD has been used to interface the TEST and MONITOR link, this gives 5V voltage
compatibility [106], a high reliability [98] and has been proven to have a high radiation tolerance
[107].
4.6.1 USER PERMIT
The redundant USER PERMIT signals A and B are generated by two separate current loops
established within the User System, for each of the two current loops the following applies:
94 CHAPTER 4. BEAM INTERLOCK SYSTEM REALISATION




Table 4.24: USER PERMIT Current Loop Specification in the CIBU
Essentially this means that the USER PERMIT is guaranteed FALSE if the loop current is less
than 1mA, a loop current greater than 9mA is guaranteed to switch USER PERMIT to TRUE. A
value of current between 1 and 9mA could be either level, the loop current is regulated by a
transistor pair installed in the CIBU, as shown in Figure 4.66.
Figure 4.66: USER PERMIT Current Regulation in the CIBU
The current loop regulation uses two cross connected transistors which self regulate to maintain the
current through the optocoupler [108] [109]. Considering that T2 will switch completely on when it
has a base-emitter voltage around 0.7V, leads to a current of 12.5mA being drawn through the
optocoupler. The 1k2Ω resistor prevents the optocoupler from spurious activation at low voltages,
the 18kΩ resistor prevents an open circuit from floating and generating spurious switches.
The output of the optocoupler is conditioned with a pair of Schmidt triggers and used to drive a
MAX3440 transceiver, this is shown in Figure 4.67.
Figure 4.67: USER PERMIT Current Loop to Differential Conversion in the CIBU
Any disconnection or short on this link leads to USER PERMIT = FALSE.
4.6.2 BEAM PERMIT INFO
The BEAM PERMIT INFO signal is transmitted to the User System from the Beam Interlock
Controller, the User Interface drives an optocoupler with this signal allowing various circuits to be
implemented in the User System. Figure 4.68 on the next page shows the reception and conversion
of this signal.
4.6. THE INTERFACE TO THE USER SYSTEMS (CIBU) 95
Figure 4.68: BEAM PERMIT INFO Differential to Current Loop Conversion in the CIBU
Any disconnection or short on this link leads to BEAM PERMIT INFO = TRUE.
4.6.3 TEST and MONITOR
A full-duplex Manchester encoded serial link is established with the User Interface, using two
channels, TEST and MONITOR. These channels are connected to a CPLD which is responsible
for interpreting the TEST commands, and sending MONITOR data. The full duplex link is
established by using a single MAX488E component, which has the same characteristics as the
MAX3440E only without the FAULT signals. The use of encoded frames means that it’s
automatically evident when a link is malfunctioning, as the decoding circuits will detect errors.
Figure 4.69 shows the basic layout of the TEST and MONITOR with CPLD in the User
Interface.
Figure 4.69: TEST and MONITOR Channel Implementation in the CIBU
Test Data
TEST data originates in the Manager board, it’s then passed to the Test & Monitor board before
being retransmitted to the User Interface, it consists of four data frames which can force the
Interface into one of three modes, ‘test’, ‘reset’ and ‘operation’, TEST and MONITOR are
Manchester encoded frames, Appendix D on page 161 presents the definitions and frame structures
for the transmissions between User Interface and the Test & Monitor board.
The User Interface receives four frames and only changes mode if they are consistent. The test
data is repeated in two frames, the values have to be identical in order to switch into TEST mode,
this repetition and redundancy of information is part of a series of measures implemented to
ensure that the User Interface cannot be put into test mode accidentally. Firstly, the TEST data is
duplicated on the links, to spuriously switch into ‘test’ mode would requires multiple transmission
error. Secondly, the reception of the TEST data frames is timed, two frames must arrive within
eight milliseconds of one another to be validated. Thirdly, the transition from ‘operation’ to ‘test’
is inhibited by hardware if the BEAM PERMIT INFO is TRUE. Considering these protection
methods means that the Bit Error Rate of the TEST channel can be disregarded as errors in this
case are very unlikely to lead to loss of availability.
The Interface decodes TEST ON (ON), TRUE FALSE (TF) and CHANNEL A B (AB) to drive
four signals, TEST ON A, TEST ON B, TEST LOGIC A and TEST LOGIC B. Table 4.25 on the
following page shows the truth-table for these signals.
96 CHAPTER 4. BEAM INTERLOCK SYSTEM REALISATION
TEST Data CPLD Response
ON TF AB TEST ON A TEST ON B TEST LOGIC A TEST LOGIC B
0 x x 0 0 0 0
1 0 0 1 1 1 0
1 0 1 1 1 0 1
1 1 0 1 1 0 1
1 1 1 1 1 1 0
Table 4.25: Converting TEST Data into Signals Within the CIBU
TEST LOGIC A is derived with an XOR, TEST LOGIC B with and XNOR, these are very
simple circuits, ideally suited to CPLD structures, note that there are only two different patterns
that can be activated for the test, setting one channel to TRUE simultaneously sets the redundant
channel to FALSE.
Monitor Data
The CPLD reads both internal and external status registers, encodes them, and sends back five
bytes of MONITOR data. Figure 4.70 shows the internal and external sources of MONITOR
data.
Figure 4.70: External and Internal Sources of MONITOR Data
This data is sent to the Beam Interlock Controller at least twice per second, the transmission of
five Manchester encoded frames takes less than 2.5 milliseconds, so the encoder circuits are idle
more than 99% of the time, transmission is also triggered after the successful reception of TEST
data, if the encoder is idle at that moment.
4.6.4 Implementing the TEST and MONITOR Links
The programmable logic of the User Interface is very simple, it consists of a decoder circuit linked
to a TEST register, and an encoder linked to a MONITOR register. The TEST register is used to
drive the TEST ON and TEST LOGIC signals, the MONITOR register is filled with the external
and internal signals that are remotely supervised. Figure 4.71 on the facing page shows the basic
structure of the CPLD:
4.6. THE INTERFACE TO THE USER SYSTEMS (CIBU) 97
Figure 4.71: CIBU CPLD Internal Architecture
The decoder triggers green and red front panel LEDs RX and ERR in response to the reception of
valid and invalid data frames. The contents of the MONITOR registers are used to drive three
tri-color LEDs, one each for USER PERMIT A, B and BEAM PERMIT INFO.
Figure 4.72: CIBU Front Panel LEDs
Each User Interface has a ten-bit unique identifier (CIBU ID) which is formed by soldering
zero-ohm resistors to the board, giving a number from 1 to 1023 that can be read back at
distance.
Monitoring the USER PERMIT and BEAM PERMIT INFO links
Expanding the USER PERMIT link to include testing and monitoring leads to the circuit in
Figure 4.73
Figure 4.73: USER PERMIT Circuit with TEST and MONITOR in the CIBU
The test is activated when the CPLD sets TEST ON to logic ‘1’ and when BEAM PERMIT INFO
98 CHAPTER 4. BEAM INTERLOCK SYSTEM REALISATION
is FALSE, activating the test moves the USER PERMIT current loop from external circuits to
internal ones, where TEST LOGIC is inverted, and used as a switch. The selection of internal and
external circuits is carried out using a small signal relay, the input to the USER PERMIT circuit
switches to FALSE for some milliseconds during the transition, as the input is effectively open.
This ensures that any change into ‘test’ mode automatically forces the USER PERMIT
FALSE.
Two points on the USER PERMIT link are monitored, the actual value of USER PERMIT is read
back by the CPLD after passing through an optocoupler, This galvanic isolation ensures that a
problem with the CPLD cannot effect the operation of the USER PERMIT link. The RS485
FAULT signal is also read-back by the CPLD, providing a remote diagnostic of the link
operation.
BEAM PERMIT INFO is implemented in a very similar manner, as shown in Figure 4.74
Figure 4.74: BEAN PERMIT INFO Circuit with TEST and MONITOR in the CIBU
The local value of BEAM PERMIT INFO is read, as is the BEAM PERMIT INFO FAULT, so
that the integrity of the whole link can be remotely verified. Galvanic isolation ensures that
erroneous CPLD operation cannot force the BEAM PERMIT INFO state.
Monitoring the Power Supplies
The User Interface is equipped with a pair of redundant power supplies, this redundancy is needed
to reach the availability levels specified for the Beam Interlock System. The two DC supplies
(CIBD A and B) work in parallel, they are isolated with a power rectifier diode, ensuring that the
failure of a single supply cannot cause the second supply output to short circuit. Two signals
PSU A and B are returned to the CPLD, and three green LEDs are driven, giving a visual
indication of the system operation. Figure 4.75 shows a basic diagram.
Figure 4.75: Power Supply Circuits with MONITOR in the CIBU
4.6.5 Single and Double User Interfaces (CIBUS and CIBUD)
The Interface that has been described in this section can be implemented as a Single-Interface
having a single connection from User System to controller, or a Double-Interface containing two
4.6. THE INTERFACE TO THE USER SYSTEMS (CIBU) 99
circuits, with different gender connectors. The Single-Interface is used throughout the CERN
accelerator complex, for connection to either LHC both-beam or any SPS-beam system. The
Double-Interface is only found in the LHC, it has one circuit for connection to LHC beam-1, and
one for connection to LHC beam-2, it’s given to User Systems interlocking LHC beams
independently.
Figure 4.76: Single and Double User Interfaces, CIBUS and CIBUD
Both versions of the interface have redundant power supplies, and a unique programmed
identification (CIBU ID). When a system is connected through a double User Interface both the
beam-1 and beam-2 sides will have the same identification number, and the same power supply
status information. The identification can be directly used to determine the type of User Interface
that is present, the value breaks down into the three ranges shown in Table 4.26.
CIBU ID Value CIBUx Type Range
0 - 99 Prototype CIBUS or CIBUD 100
100 - 599 Production CIBUS 500
600 - 1023 Production CIBUD 424
Table 4.26: Using CIBU ID to Determine CIBUx Type
4.6.6 Fibre Optic Extension of the Controller to User Link
(CIBFx)
The distance from the Beam Interlock Controller to the User Interface is limited to around 1200m
as RS485 is only specified for cable runs of this length. To overcome this limitation a pair of Fibre
Extenders (CIBFx) can be used, that convert electrical signals to optical, and vice-versa. One
device has to be implemented at the user side (CIBFU), the other at the controller side (CIBFC),
together these devices form a link capable of transmission over at least six kilometers, sufficient for
any conceivable requirement of the Beam Interlock System. Each Fibre Extender is equipped with
redundant power supplies, a full monitoring of the link is implemented allowing supervision to
observe the performance of the individual parts. Figure 4.77 on the next page shows the basic
layout of an extended link from User Interface to Beam Interlock Controller.
100 CHAPTER 4. BEAM INTERLOCK SYSTEM REALISATION
Figure 4.77: Extending the CIBU to Controller Link Length
Appendix D details the data that can be read from each Fibre Extender.
4.7. ELECTRICAL ANALYSIS OF THE SYSTEM 101
4.7 Electrical Analysis of the System
Electro-Magnetic Compatibility and signal integrity are big challenges for interconnecting
distributed hardware in industrial environments. Analysis of these has been carried from
component to system level with both simulations and practical experiments, as part of the Beam
Interlock System design. The Beam Interlock System has been shown to have excellent
characteristics in terms of both signal integrity and Electro-Magnetic Compatibility.
The analysis of signal integrity and Electro-Magnetic Compatibility are very closely related:
Signal Integrity
Analysis of signal integrity has been carried out throughout the design, ensuring wavelengths and
rise-times do not adversely effect circuit operation and that in the worst case the system still
functions, key points to consider are:
• Signal frequency
• Circuit impedance
• Wave characteristics of signals
• Cross-talk between signals
Electro-Magnetic Compatibility
Testing for compatibility ensures that the system is not susceptible to external fields and that
critical functions are maintained throughout periods of external interference. It is also important
that the Beam Interlock System does not perturb the operation of other neighbouring systems, key
points to consider are:
• System shielding
• Grounding, both on-board and inter-system
• The appropriate use of differential signalling
• The possible use of slew-rate limited signals
• System testing to ascertain performance levels
4.7.1 Different Types of Link in the Beam Interlock System
For the analysis the Beam Interlock System has been split into five types of link; three considered
at the system level, two at the controller level. The three types of link at the system level are
1. Current loops from User System to User Interface.
2. RS485 signal from User Interface to controller.
3. Fibre optic signals from controller to controller.
These are shown in Figure 4.78 on the following page.
102 CHAPTER 4. BEAM INTERLOCK SYSTEM REALISATION
Figure 4.78: Three Types of Cabled Links at the System Level
The links within the controller can be generalised into two types, the first is board-to-board, where
a signal passes from one board in the VME chassis to another. A typical example of this type of
link is one of the communications channels from Manager to Test & Monitor board, as shown in
Figure 4.79.
Figure 4.79: Typical Board to Board Link at the Controller Level
The second is on-board, where a signal passes from one Integrated Circuit (IC) to another situated
on the same circuit board. Consider the simple block diagram of the Manager board as shown in
Figure 4.80 on the facing page.
The different characteristics of these links are summarised in Table 4.27.
Link Type Maximum Link Length Link Technology Operational Frequency[m] [Hz]
1 4 Current Loops DC →≈10M
2 1200 Very Slow RS485 DC →≈62.5k
3 6000 Single Mode Optical Fibre DC →≈10M
4 1 Slow RS485 DC →≈250k
5 0.15 LVTTL/TTL DC →≈100M
Table 4.27: Summary of Different BIS Link Types Analysed for Integrity and EMC
4.7. ELECTRICAL ANALYSIS OF THE SYSTEM 103
Figure 4.80: Typical On-Board Link at the Controller Level
4.7.2 General Rules
The design and realisation of the Beam Interlock System has followed some general rules to give a
solid basis for the signal integrity and Electro-Magnetic Compatibility.
Layer Stack-Up and Powering
The layer stack-up and powering of each board in the system provides a solid base for resistance to
external events and to good signal integrity.
The differential signals carried in the cables of the Beam Interlock System are routed differentially
on the circuit boards in the User Interface and the Beam Interlock Controller. This ensures that
coupling is restricted to related pairs, with equal and opposite currents flowing in neighbouring
wires [110]. In general the differential impedance of links has been maintained at 50-200% of that
of the cable connecting User Interface to Beam Interlock Controller, using slew-rate limited
transmission with these impedances leads to a signal integrity that is within all
specifications.
Circuit boards that have active components have a power and ground plane, in accordance with
the “5/5 Rule” that states if any signal has a speed >5MHz, or a rise time <5ns, then ground and
power planes must be used [111]. A typical four layer stack-up of an active PCB is shown in
Figure 4.81 on the following page. Power supply decoupling has been given appropriate filtering to
ensure that the voltages received by the active circuits meet specifications, and that return
currents through ground create a very small potential, giving a tolerable voltage change during
operation.
104 CHAPTER 4. BEAM INTERLOCK SYSTEM REALISATION
Figure 4.81: Typical Active PCB Cross-Section
All PCBs that have high speed signals have the “3W Rule” applied meaning that traces are
separated (centre-to-centre) by at least three times their width, ensuring that crosstalk between
unrelated signals is minimised [112].
Throughout the Beam Interlock System differential striplines have been used to carry differential
signals, improving noise immunity [113]. The extension boards and patch-panels have ground
planes applied on both the top and bottom layers, encasing the circuit, and they only has
through-hole connectors. This allows signals to remain buried within the material, without vias
being required to swap the signal from one layer to another, a typical interconnecting PCB is
shown in Figure 4.82.
Figure 4.82: Typical Interconnecting PCB Cross-Section
Unused areas of PCBs have been filled with grounded copper pours and have had the grounds on
different layers stitched together with vias at regular intervals, this increases noise immunity, can
improve characteristic impedance and provides a cleaner ground for the system [114].
Electrical Length Limitations
A key parameter in the analysis of an interconnection is the electrical length, this relates the signal
wavelength that can be found on the link with the physical link length. If this ratio is high, then
the interconnection must be treated as a high frequency design, with impedance and termination
values considered, a low-frequency analysis is sufficient if this ratio is small [115]. Table 4.28 on the
facing page shows a simple look-up table that has been used to define the maximum link lengths to
ensure that the links can be considered as low-frequency.
4.7. ELECTRICAL ANALYSIS OF THE SYSTEM 105
Rise Time Equivalent Frequency Equivalent Wavelength Maximum Trace Length
[ns] [MHz] [m] [cm]
0.5 637 0.28 1.41
1.0 318 0.57 2.83
1.5 212 0.85 4.24
2.0 159 1.13 5.65
2.5 127 1.41 7.07
3.0 106 1.70 8.48
3.5 91 1.98 9.90
4.0 80 2.26 11.31
4.5 71 2.54 12.72
5.0 64 2.83 14.14
Table 4.28: Low Frequency Design Limits Due to Electrical Length
A typical electrical length calculation is presented in Appendix G on page 175.
Differential Signals, Shields and Ground
Balanced differential signals are used wherever electrically long distances are to be covered, with
slew-rate limited drivers being used to reduce high-frequency effects. Bi-directional Transient
Voltage Suppressors are used on every wire that passes outside of the controller, where it could be
exposed to external influence, this prevents high-energy transient effects, such as lightening, or
high-voltage short circuit from damaging the circuits. Shielded twisted pair is used when a cable is
required, with the shields grounded at both ends, and with spare wires grounded at both sides,
these increase the system’s resistance to EMC issues, decrease the chance of the system being a
source of perturbation for other systems and help the signal integrity [116] [117] [118] [119] [120]
[121] [122] [123].
Figure 4.83 shows the principle of a single ground, with connected shields and balanced differential
signalling. ‘Earth’, ‘ground’, ‘zero-potential’ and ‘chassis’ are all considered as one and the same, a
‘system ground’.
Figure 4.83: Balanced Differential Signalling, Shields and Ground
The ground connections are made using the largest possible conducting surfaces, with the shortest
possible links made between grounds at each point, this conforms to modern design practices,
advocated by industry professionals [124] [125] [126] [127].
The use of ‘pig-tail’ connections for shielding is completely prohibited in the system, only 360◦
shield connections are allowed, again in accordance with modern EMC practices [128].
This form of EMC focussed design practice is relatively new, some legacy systems from the LEP
era that are used in the machine are implemented in a different manner, with either open shields,
or shields that are AC coupled. Whilst this makes the individual system performance good, the
effect on the complex as a whole can be non-ideal, some User Systems are reluctant to implement a
full shielding, but EMC tests prove conclusively that the implementation of the link to Beam
Interlock System requires this kind of shielding for the best conformity.
106 CHAPTER 4. BEAM INTERLOCK SYSTEM REALISATION
4.7.3 Signal Integrity Analysis
All of the signals, from type-1 to type-5 have been analysed for integrity which showed them to be
sound, a breakdown of the results can be found in Appendix G.
4.7.4 System Level Electro-Magnetic Compatibility Analysis
The long distance cabled connections, type-1 and type-2 have been tested to IEC-61000-4-4, by
injecting a burst or interference into the cables. Table 4.29 shows the defined test levels for the
IEC 61000:





Table 4.29: IEC 61000 Severity Levels
Level 3 is defined as a regular industrial environment, level 4 is a heavy industrial environment, at
least level 3 is required for the Beam Interlock System, although tests up to 4.0kV have also been
carried out.
All of the tests looked to see if the USER PERMIT signals were perturbed when an external
generator was connected to the cables between User System and User Interface, and User Interface
and Beam Interlock Controller. Different configurations of ground and shielding were tested to
directly compare the validity of the different shielding techniques. Test results are split into four
categories as shown in Table 4.30.
Test Result Description Example
A No noticeable fault No signals are seen to be perturbed
B Corrected fault Critical error occurs, and is filtered
C Fault Critical error occurs, it is not filtered
D Complete failure Loss of power or control
Table 4.30: EMC Test Result Classification
Tests were initially made with USER PERMIT held TRUE, tests were then repeated with
USER PERMIT held FALSE to see whether external events could force the permit to the opposite
value. With correctly implemented shielding the Beam Interlock System achieved a grade A in
4.0kV testing. The weak point of the system is the Power PC embedded in the VME chassis,
which failed during the level 4 tests of the User Interface power supply.
Cables from User System to User Interface
The cables from the User System to the User Interface are one of the key links in the Beam
Interlock System. The SPS and CNGS experiments have given an insight to the approach adopted
by User Systems. Various different cabling strategies have been implemented, notably in the
shielding, EMC testing of these different configurations has given conclusive arguments for the
choice of the 360◦ implementation over the others.
The recommended implementation is shielded twisted pair, with the shield fully connected at both
sides. It is also recommended that a pair of wires in the cable be connected to ground at both
sides, this is shown in Figure 4.84 on the next page.
4.7. ELECTRICAL ANALYSIS OF THE SYSTEM 107
Figure 4.84: Recommended User System to User Interface Cable
This link showed the best performance at the highest levels of testing, without any perturbations
being recorded, as shown in Table 4.31.
Full connector, grounded wires Severity Level
USER PERMIT Setting 0.5kV 1.0kV 2.0kV 4.0kV
TRUE A A A A
FALSE A A A A
Table 4.31: EMC Test Results of Circuit in Figure 4.84
Cables from User Interface to Controller
The cables from the User Interface to the Beam Interlock Controller have full shielding, and a pair
of ground wires connected at both ends, as shown in Figure 4.85.
Figure 4.85: User Interface to Controller Cable
There were no problems with this link at any of the voltage levels.
Power Supply Testing
The Beam Interlock Controller has a switched mode power supply, this was also tested according
to the IEC-61000, with a simple layout as shown in Figure 4.86.
Figure 4.86: EMC Testing of the VME Power Supply
These devices are designed to be used in industrial environments, so it has to be noted that they
have already been tested to the IEC 61000 levels by the supplier [129], however no mention is
108 CHAPTER 4. BEAM INTERLOCK SYSTEM REALISATION
given regarding the level of performance achieved during manufacturer testing. The VME power
supply showed no ill effects at any of the tested voltage levels. The DC supply for the User
Interface (CIBD) was tested in much the same way as the VME Power Supply, using the same
set-up as shown in Figure 4.86 on the preceding page. This is an enclosed power supply from
Tracopower, which has been manufacturer tested and is certified as withstanding 1.0kV
interference [130], to increase the protection level the supply has been encased a second time, and
has a mains supply filter fitted with slow-fuse. The results showed that problems occurred during
testing at 4.0kV, the highest level. Conducted radiation caused the Power PC of the VME chassis
to fail, it needed a power cycle to be restored.
4.8. FAILURE MODES, EFFECTS AND CRITICALITY ANALYSIS 109
4.8 Failure Modes, Effects and Criticality Analysis
The design and realisation of the Beam Interlock System has been motivated by safety
requirements. Failure Modes, Effects and Criticality Analyses (FMECA) have been carried out
throughout the design evolution, determining the safety level of the system, with improvements
that could augment the level.
Key design choices throughout the development of the system have been based on the results of
preliminary FMECA, which can give a relative indication of the safety of one architecture over
another. An example of this is the implementation of a complete redundancy all the way from
User System, a FMECA showed that the benefits of this were great, as both the safety and
capabilities for testing were improved, the FMECA also showed that the system is statistically less
reliable when full redundancy is implemented, which in turn required the addition of
dual-redundant power supplies for operation to reach the required availability.
Although the FMECA formed a very large and complex part of the design of the system, it does
not pertain well to a description within a concise thesis such as this, it is mostly a statistical
analysis involving many tables and values. A small overview of the FMECA method is presented,
then the global results are shown, giving the relative system dependability in its different forms,
and showing the key effects due to the system improvements which have been conditioned by the
FMECA.
The reader must understand that the LHC is the focus of these FMECA investigations, it is the
LHC that needs the most dependable protection system, having the most costly ramifications in
the case of failure, above all, it’s presumed that a system that meets the stringent requirements of
LHC safety can be readily applied to the LHC injector chain, with little or no loss of safety due to
the changing architecture.
4.8.1 Procedure for Performing a FMECA
Methodologies for performing a reliability analysis are usually related to applications that risk
human life in the case of failure. In these cases the consequences of equipment failure can be
generalised not only by dollar-value, but also by potential loss of life. Whilst the LHC is an
expensive machine, one must understand that the loss of human life is not a consequence of the
failure of the Machine Protection System. If this were the case the development and application of
the complete Machine Protection System, including the Beam Interlock System, would be subject
to governmental regulation. To this end the safe operation of the Protection system has been
categorised, not following the limitations of the loss of human life, but the cost of failure in terms
of repair time and swiss-francs.
The consequences of system failure have been split into four different categories.
No Effect Failures - Having no effect on the performance of the system, an example is a decoupling
capacitor failing open circuit, this will not stop the system operating.
Maintenance - These failures allow the current LHC mission to be completed, but the system must
be repaired to return to the specified dependability. An example of this would be the failure of a
redundant power supply, the Machine Protection System can be operated without this, but the
chances of a False Dump are increased if it is not repaired.
False Dump - A failure in the system which results in loss of safety, or critical functionality causes
the current mission to be aborted. These failures are referred to as False Dumps, as the machine
was not in danger and the Dump Request results from a failure in the Machine Protection System
itself. An example would be the failure of an RS485 transceiver carrying a critical signal, this is
detected, and a beam dump request is automatically issued.
Blind Failure - The most serious type of failure is a blind failure, here a circuit fails and leads to
erroneous information being transmitted, for example, if a USER PERMIT is FALSE, a blind
failure would lead to it being decoded as TRUE.
A mission is considered to be ten hours long, as this is the expected length of an LHC run from
pre-injection to planned dump request, some 400 missions are scheduled annually. Before each
mission it is expected that the Beam Interlock System is completely tested, to be considered As
110 CHAPTER 4. BEAM INTERLOCK SYSTEM REALISATION
Good As New (AGAN), this means that only failures within the ten hour window are considered
with the consequences shown above. Altogether the FMECA shows that the system meets the
specification, even when a pessimistic view is taken.
US military handbooks and standards have been used as a basic for the FMECA, with four
documents playing crucial roles in the analysis:
1. MIL-HDBK-217F - Reliability Prediction of Electronic Equipment [131]
2. MIL-HBDK-338B - Electronic Reliability Design Handbook [132]
3. MIL-STD-1629A - Procedures for Performing a Failure Modes Effects and Criticality
Analysis [133]
4. FMD 97 - Failure Mode/Mechanism Distributions [134]
The MIL-STD-1629A defines the methodology for performing a FMECA, but it is completely
based on a military application, with clear guidelines for defining operational requirements. It has
been loosely used as the basis for the Failure Modes, Effects and Criticality Analysis, the
classification of faults and consequences have been changed to match those defined for the
operation of the LHC Machine Protection System.
The Beam Interlock System has been separated into its sub-systems, and a criticality worksheet
has been derived for each, the worksheet is made in the following series of steps.
1. List the components used in the sub-system
2. Determine the component failure rate according to MIL-HDBK-217
3. Determine the component failure modes according to FMD-97 and MIL-HBDK-338
4. Analyse the circuit diagrams, and determine the consequences of each failure mode
5. Sum the hourly rates for each component by mode
A typical criticality worksheet has the following layout:
Part ID Failure Rate Mode Ratio Effect Probability
[Ref Des] [/109h] [FMD-97] [FMD-97] [/h]
R10 13.26 Open/Drift 0.95 BF 1.49E-08Short 0.05 FD 7.83E-10
Table 4.32: Sample from a Criticality Worksheet
Throughout the calculations pessimistic failure rates are used, along with pessimistic views failure
effects. The criticality worksheet for the Double User Interface can be found in Appendix H.
4.8.2 Results of the BIS FMECA
The raw sub-system FMECA results were then multiplied by the quantity of each sub-system
present in the machine, giving the following hourly failure rates and modes for the
sub-systems.
Not every sub-system exhibits all failure modes, the number of Blind Failures is very small as
iterations through the FMECA revealed weaknesses which were progressively designed out of the
system. Of course a blind failure here means that both redundant channels simultaneously fail in
similar ways, leading to a complete blind failure for a single user. Combining the Blind Failures
and cross-correlating for failures within different sub-systems leads to the following table for all of
the LHC:
BIS Probability of Failure NE M FD BF
per Hour 1.31E-03 2.70E-03 9.12E-04 3.27E-09
Table 4.33: Cross-Correlated FMECA Results
4.8. FAILURE MODES, EFFECTS AND CRITICALITY ANALYSIS 111
This figure is within the SIL-4 range specified in table 2.4 on page 26. This considers that the
system is completely redundant, it is relatively easy to manipulate the results to give an indicative
value of the effects of changing redundancy strategy, this is shown in Figure 4.87.
Nomenclature Description Hourly Probability of FailureNE M FD BF
CIBD DC Power Supply 4.78E-05 1.13E-03 2.41E-09
CIBUS Single User Interface 3.89E-04 2.34E-04 2.67E-04 3.80E-11
CIBUD Double User Interface 4.54E-04 2.61E-04 2.98E-04 2.36E-11
CIBPL Patch Panel for the LHC 1.40E-06 2.80E-06 1.97E-05
CIBEA Extension Type-A 5.61E-06 5.61E-06
CIBEB Extension Type-B 2.80E-06 2.80E-06
CIBT Test and Monitor Supervisor 9.08E-05 9.05E-05 4.59E-07
CIBTD Test and Monitor Display 4.90E-05 1.80E-06
CIBM Manager 1.59E-04 1.59E-04 2.39E-04 1.37E-12
CIBMD Manager Display 9.50E-05 4.62E-07 1.33E-05
CIBO Optical Repeater 1.42E-05 5.98E-05 5.08E-14
CIBG Loop Generator 2.91E-06 2.91E-06 6.40E-06
CIBFAN VME Fan Tray 4.92E-04 7.57E-09
CIBPSU VME Power Supply 3.20E-04 3.20E-09
Table 4.34: Results of the BIS Failure Modes, Effects and Criticality Analysis
Figure 4.87: Development of the System Dependability to Meet Operational Requirements
Trade off in failure modes has been made, making the system more available and meeting both the
safety and availability requirements specified for the system.
The left hand column shows the expected operation with no redundancy at all, where expected
failure rates and modes lead to a system which does not achieve any Safety Integrity Level. The
second column shows the system characteristic once the redundancy A and B is implemented
throughout the system, this increases the safety, but the reliability and availability of the system
gets worse. The third and final columns show that making User Interface power supplies, VME
power supplies and VME fan trays redundant increases availability leading to a system
mathematically matching the whole specification.
It’s important to understand why one cannot say that the system will meet the specification, this
is because of the methods used in reliability prediction. One can never be absolutely sure of a
component failure rate, or failure mode, so one uses mathematical models and high-temperature
112 CHAPTER 4. BEAM INTERLOCK SYSTEM REALISATION
tests to build a prediction concerning the operation of the system. Hence, one can only say that
mathematically, or statistically, the system should match the prescribed requirements. Safety
analysis in this manner is not a defined science with a clear TRUE or FALSE, YES or NO answer,
and it cannot be taken as such.
Some conclusions can clearly be drawn from this diagram without philosophical debate of the
nature of the analysis. Firstly, a single VME chassis to house two controllers not only saves money,
but also decreases the overall complexity of the system compared to one having a VME Chassis
per controller. Thus, this increases the overall reliability. The same can be said for the Double
User Interface, which allows independent User Systems to make a pair of beam-1 and beam-2
connections through a single device, this again decreases the overall system complexity, whilst
maintaining the overall function.
The dual-use components are very successful in making a system more reliable, but in fact have no
effect on the system safety. To reach required safety level the FMECA showed that the system had
to be made completely redundant. The blind failures rate shown in the table considers the
redundancy of the Beam Interlock System, the probability shown is of both redundant critical
paths failing in the same way for the same User System, in the same mission. The cross correlation
between different sections of the system is also taken into consideration for this figure.
4.9. TESTING, COMMISSIONING AND SYSTEM DIAGNOSIS 113
4.9 Testing, Commissioning and System Diagnosis
Testing, commissioning and diagnosis are all closely related, a system level commissioning of
the Beam Interlock System can be carried out by performing a full system test, whereas a
complete commissioning can be done by testing the inter-system operation through a sequencer
program which includes the User Systems and the Beam Transfer or beam dump systems. The
Beam Interlock System can only be considered as ready for operation once the complete
commissioning has been carried out.
A passive observation of the system health can be carried out within some seconds, by considering
MONITOR data from each controller. Every DC RS485 link in the system has monitoring
implemented at the electrical level and every encoded RS485 link has a link level monitoring
detecting the loss and possible corruption of encoded information. An active investigation of the
Beam Interlock System can be carried out by using the internal TEST functions, which verify that
the Beam Interlock System is functioning within design parameters, giving an indication of the
system’s readiness for operation. The Beam Interlock System test and commissioning is broken
down into three stages.
1. Controller Testing - Each controller in the Beam Interlock System can be checked to
ensure that it is configured correctly, this includes the User Interfaces and interconnecting
cables. Passive monitoring and active testing ensures that the functionality of the system is
correct.
2. System Testing - Once the operation of each controller is known to be correct the links
between controllers can be verified. Beam permit loop response times and propagation paths
can be tested and verified, to ensure that the system is performing to design specification.
3. Inter-System Testing - The links between the User Systems, Beam Interlock System and
Beam Transfer System can be checked once the Beam Interlock System has passed the
system testing. Links between User Systems and Interlock System can be verified by
remotely setting and unsetting USER PERMIT channels, links between the injection,
extraction or beam dumping systems and the Beam Interlock Systems can be verified by
setting and unsetting BEAM PERMIT.
Active testing is always carried out in a completely safe manner as both links ‘A’ and ‘B’ cannot
be simultaneously activated during a test. The implementation of two completely isolated channels
from USER PERMIT to BEAM PERMIT is fundamental to this, online testing is a very
motivating factor for the development of completely redundant links.
If a test fails, the implementation of complete supervision makes fault localisation fairly simple.
The electrical integrity of RS485 links gives an instant indication of problem areas, making repairs
fast and effective. Preventive maintenance is also possible through such things as the remote
monitoring of redundant power supplies. The failure of a single supply will not cause the current
mission to be aborted, before the next mission an intervention can scheduled to restore the system
to full operation, with the full complement of redundant power supplies.
4.9.1 Controller Testing, Commissioning and Diagnosis
Testing of the controller is split into two steps, the first step involves a passive examination of the
electrical integrity of the system, and the system configuration by using MONITOR data. The
second step uses the built in ‘test’ mode of the system to verify the integrity of all of the links in
the system.
Passive Examination - Monitor Data
The first step towards analysis of the operation of the controller is to look at MONITOR data, this
can be broken down into three levels of supervision.
1. Electrical Level - RS485 FAULT signals determine whether the differential links are
electrically correct, this kind of error detection is implemented in every DC link that is used
in the system, and at least one end of every encoded link.
114 CHAPTER 4. BEAM INTERLOCK SYSTEM REALISATION
2. Link Level - Both DC and encoded links can be checked for link integrity by checking the
consistency of transmitted and received DC levels, by verifying that decoder circuits do not
show any link errors and that glitch filters are not indicative of a link fault on critical DC
levels.
3. Configuration Level - The configuration of important components of the controller can
also be read back. This includes VHDL versions, jumper settings and matrix configurations.
This supervision does not usually indicate a component failure, rather a bad configuration
requiring an intervention.
Every data link which is within the chassis of the Beam Interlock Controller has a remote diagnosis,
this includes the links between Manager and the Test & Monitor board and the connections to the
Safe Machine Parameters Receiver (SMPR), they are shown in Figure 4.88.
Figure 4.88: Diagnosis of Stand-Alone Controller Operation
All of the links have electrical level supervision, link level supervision can compare the transmitted
with received values. The Manchester encoded links have integrity checks where any framing errors
or timeouts can be used to indicate damaged or broken connections. Configuration level
supervision ensures that the latest VHDL versions are being used and that the configuration of the
Manager board and patch-panel is consistent with expected values, this includes the jumper
settings and other elements, such as the source of the Safe Beam Flag. Combining the supervision
at these different levels allows the whole controller to be passively verified.
A similar analysis can be carried out on the links between the controller and each User Interface,
as shown in Figure 4.89.
Figure 4.89: Diagnosis of Controller and CIBU Operation
The USER PERMIT, BEAM PERMIT INFO, TEST and MONITOR links are all checked for
electrical integrity by monitoring the RS485 FAULT signals, for the USER PERMIT and
BEAM PERMIT INFO signal both the source and destination FAULT signals are available in the
MONITOR data. The two redundant power supplies in each User Interface can also be inspected
4.9. TESTING, COMMISSIONING AND SYSTEM DIAGNOSIS 115
for electrical performance, ensuring that both are functioning correctly. Link level integrity can be
ascertained by looking for differences in the internally read and received values of USER PERMIT
and BEAM PERMIT INFO. Manchester decoding errors can be used to establish whether the
serial communication channels TEST and MONITOR are coherent, for the USER PERMIT
signals both glitch counters and glitch rates can be used to check signal integrity. At the
configuration level the User Interface Identification can be read and compared to ensure that the
correct Interface is installed, and that it has the correct beam function. This passive snapshot
gives an immediate indication of the performance of the connection between each User Interface
and controller.
In the tree architectures the LOCAL BEAM PERMIT of one controller can be connected directly
as a USER PERMIT input to another. This link can be completely supervised just as a regular
USER PERMIT, even though this link may only be implemented a handful of times in the CERN
accelerator complex. Both the sending and receiving end FAULT signals are available to check
electrical integrity, for link level integrity the sent value of LOCAL BEAM PERMIT and received
USER PERMIT can be compared and the glitch counters and rates monitored. Figure 4.90 shows
this simple interconnection.
Figure 4.90: Diagnosis of Slave-Controller to Master-Controller Link
The User Systems that are connected through both a User Interface and Fibre Extender kit can
also be completely supervised. Electrical integrity can be verified by checking FAULT signals in all
stages of the transmission, redundant power supplies can also be remotely verified. Finally, the
integrity of all the links can be verified by checking for Manchester decoder errors, glitches and
errors flagged in the fibre optic link, as shown in Figure 4.91.
Figure 4.91: Diagnosis of an Extended Controller to User Interface Link
Active Examination - Test Mode
Testing the system in a stand-alone mode is the equivalent to a simple commissioning of the Beam
Interlock System, where the internal structure and cabling is completely verified, this is done in
three steps, all of which can be activated from the supervision software.
116 CHAPTER 4. BEAM INTERLOCK SYSTEM REALISATION
Figure 4.92: Testing the Beam Interlock System
The complete operation of the A and B redundancy can be checked by using test mode to force
A TRUE, B FALSE and vice-versa, during each test the monitor data can be read-back and
checked for consistency. More importantly, setting one signal to true allows the signal propagation
to be traced back through User Interface and controller making sure that all the signals are
coherent, and that they are routed in the correct paths without any short circuits. Electrical and
link level supervision can be checked in both configurations to ensure that the Beam Interlock
System architecture is correct, and that the system is performing to specification.
BEAM PERMIT INFO can also be forced to TRUE to check its integrity throughout the
controller. The final step in commissioning a controller is to first force a User Interface into test
mode, then subsequently to set BEAM PERMIT INFO to TRUE, this should result in the User
Interface switching automatically to operation mode, as the test is hardware inhibited when
BEAM PERMIT INFO is TRUE.
4.9.2 System Testing, Commissioning and Diagnosis
System level testing can begin once each controller has been verified. The beam permit loops are
the focus of the testing and monitoring. Forcing every User Interface into test mode on the whole
of one redundant channel forces all the LOCAL BEAM PERMIT signals for a single loop to be
established. Generating the 10MHz then allows BEAM PERMIT of the loop to be set, the
propagation of the beam permit loop can then be checked for both electrical and link integrity.
The generator can be forced to stop leading to BEAM PERMIT changing to FALSE, the
propagation of the frequency interruption around the machine can then be inspected, ensuring
that the loop is coherent.
A more comprehensive test is possible by setting BEAM PERMIT TRUE for a permit loop and
then switching a User Interface to the opposite test mode. This breaks the permit loop frequency
propagation at that point, this can then be traced around the machine, ensuring that response time
requirements are met, and that the generator arming state machine is working correctly.
4.9.3 Inter-System Testing, Commissioning and Diagnosis
Once the individual system tests of the Beam Interlock System have shown that internally the
system is operating correctly, focus can shift to the last link from User System to User Interface.
4.9. TESTING, COMMISSIONING AND SYSTEM DIAGNOSIS 117
Testing at this level is carried out with the same three steps that were shown in Figure 4.92 on the
preceding page. In this case the internal test mode of the Beam Interlock System is not used for
testing the USER PERMIT signals instead they are forced to change state at the level of the User
System.
A sequencer is foreseen that will have a link to every User System, the Beam Interlock System and
the extraction, injection and beam dumping systems. This sequencer will have direct access to the
USER PERMIT signals driven by the User Systems and the BEAM PERMIT read by the Beam
Transfer systems. On request, and if conditions allow, the sequencer will be able to switch specific
USER PERMIT signals from TRUE to FALSE and read back the relevant BEAM PERMIT
signal. This can be carried out in a completely safe manner by exploiting the A and B
redundancy.
Figure 4.93: Test and Commission of Beam Interlock System
Completing these steps is equivalent to a complete commissioning of the Beam Interlock System.
118 CHAPTER 4. BEAM INTERLOCK SYSTEM REALISATION
4.10 Software and Supervision
Once armed, the Beam Interlock System is designed to operate autonomously in a completely safe
manner without intervention or control from operators or supervision systems. It’s designed to be
safe at hardware level, without software required for correct operation. The matrices controlling
the critical functions do not rely on the operation of the monitor FPGA, however, supervision is
still an important part of the Beam Interlock System, it provides operators with an instant
overview of the machine operation, whilst also allowing machine interlock experts to quickly and
accurately determine the health of the system. The software supervision is all based on the
standard CERN Front-End Software Architecture (FESA) which allows front end accelerator
controls to be integrated into a software architecture common to the whole machine.
The FESA operates at the level of the VME chassis, a FESA server runs in the Power PC of the
VME chassis, it polls the Manager board every second, formatting the data stored there and
making it available to be read by supervision software which runs as a Java client. This Java client
is referred to as the supervision software, the software is realised to meet the requirements of both
types of user, through two different screen types: Operator Screens and Specialist Screens.
The software is in a continuous state of development, only a few screens have been realised, the
figures shown in this section are non-functional mock-up screens, functioning versions are shown in
the next chapter where the prototyping and preliminary results are discussed. Strategically, the
final implementation of the software will have to fulfill all of the needs for the operators and
specialists, which view exactly the same hardware but in a completely different level of
detail.
4.10.1 Operator Screens
The supervision is intended to give a quick visual representation of the Beam Interlock System,
allowing views to be chosen that range from user level, through controller up to system level.
Operators are not too concerned with the operation of the system at the electrical level, so a wide
range of options is given for the specific view shown of the system operation.
Geographical View
The software has a ‘System’ tab which shows primary screens with the operation at the system
level. The first tab extrapolates to one level higher, showing the operation of the seven Beam
Interlock Systems simultaneously, based on the geographical layout of the accelerator complex.
Figure 4.94 on the facing page shows a representation of what this could look like, where clicking
on the tabs shows different systems.
The circles beside the system names represent the BEAM PERMIT values of the Beam Interlock
Systems. BEAM PERMIT only switches TRUE for some milliseconds in the ‘tree’ systems, so
when a BEAM PERMIT window was detected by the software it causes the relevant sections to
briefly flash green giving an indication of a window passing even though the actual read may have
taken place just after the extraction. Clicking on any of the circles brings up the relevant system
level window, relating to the specific Beam Interlock System.
Architectural View
The geographical view is complemented by an architectural view, this collects the User Systems by
function, rather than location. It’s possible to show the function of the whole system on a single
screen, for example Figure 4.95 on the next page shows a possible hierarchical view of the LHC
Beam Interlock System. In this case the Powering Interlock Controllers are not giving
USER PERMIT, the operators are immediately drawn to the red indicator, which when clicked
could launch the relevant supervision and control software of the malfunctioning system for a more
accurate debugging. Text logs are created to compliment this, the operator has a clear indication
of the problem locations, which can quickly be used to start corrective action.
4.10. SOFTWARE AND SUPERVISION 119
Figure 4.94: CERN-wide Supervision
Figure 4.95: Architectural View of the LHC BIS Supervision
120 CHAPTER 4. BEAM INTERLOCK SYSTEM REALISATION
Injection and Extraction Specific Screens
The architectural and geographical views are excellent for the operation of the ‘ring’ systems, but
they are not so accurate when it comes to the windowed extraction and injection systems. Bar
graphs can be used to give a visual indication of the operation at the system level, this is especially
useful for the extraction from SPS point 4, where the beam destination can be either CNGS, or
the LHC. Figure 4.96 on the facing page shows a typical bar graph view at the system level for this
extraction.
The relevant controllers are listed on the left hand side of the chart, with the final extraction
permit signal at the top. The start of the machine cycle (SSC) and extraction signals (EXT) are
marked as vertical bars on the horizontally scrolling bar chart. Various parts of the bar charts
become greyed out when the beam destination indicates that they may be ignored, this gives a
quick and simple overview of the operation of the system. A cycle log can also be kept, with any
missed extractions being flagged, these can be investigated during down-time to ascertain the
cause of the missed extraction.
These bar chart views can also be selected for each controller, by either selecting from the
drop-down menus or clicking on the controller name on the system level bar-graph view. In this
case a small floating window is created that automatically refreshes every second, this means that
the bar graphs for all of the relevant extraction and injection controllers can be shown
simultaneously, useful during commissioning and testing.
The ‘Beam Mode’ that is shown on these charts shows the destination for the beam in the machine,
this value is one of the special User Systems of the Beam Interlock System for SPS Extraction in
BA4. Note that the beam accelerated in SPS can only have one destination at a time.
Controller View
Descending deeper into the operation of the Beam Interlock System allows the inputs and outputs
for a particular controller to be shown, a typical screen could be like the one shown in Figure 4.97
on the next page. The list of controllers is maintained as a tree structure on the left hand side,
selecting a controller, (in this case BA6) brings up the basic structure of the controller. MASKING
can be applied at this level by selecting and deselecting masks, if the Safe Beam Flag is FALSE
these masks are ignored. A text log can also be shown indicating any thing that is out of the
ordinary, in this case it is showing that the Beam Loss Monitor User System is not giving
USER PERMIT, however, as the channel is masked and the Safe Beam Flag is TRUE, operation is
allowed to continue.
Any User System that is disabled is automatically greyed out, the supervision software compares
the read-back disable switches and compares them to a database, any inconsistencies would be
immediately highlighted for operator acknowledgment. An advanced view is possible which details
all the redundancy within the Beam Interlock Controller, it is not expected that the operators
would select this advanced view for day-to-day operation as it displays information which is not
relevant for normal operation.
Operators can also select a hierarchical view at the controller level, in the same way as was shown
at the system level, the final option displays the history buffer from the controller, this allows
operators to establish a timeline of events, and to record the occurrence of specific events to
microsecond precision. It is expected that the history buffers from many controllers could be
merged, giving a system level view of operation, useful for debugging complex events.
The Beam Interlock Systems also serve as the first point of call for Post Mortem analysis, if the
logs from all the Beam Interlock Systems are merged it is possible to show the chain of events that
lead to the beam dump request.
4.10. SOFTWARE AND SUPERVISION 121
Figure 4.96: Bar Graph View of the BA4 Extraction BIS Supervision
Figure 4.97: Controller Level Simple Supervision
122 CHAPTER 4. BEAM INTERLOCK SYSTEM REALISATION
Figure 4.98: Controller Level Floating Bar-Graph
4.10.2 Specialist Screens
The diagnosis and specialist tabs are closely related, diagnosis shows the internal statistics of the
system operation, these can be viewed at the system, controller or user level. These are useful for
operators, as they show a reduced information related directly to the operation of the machine.
Specialist screens expand the diagnosis view to show a more complete information that is directed
towards machine specialists, particularly the operation of the Beam Interlock System.
Electrical Operation
A typical example of this is a specialist status screen which shows the electrical operation of the
system at the user, controller and system levels, a typical output is shown in Figure 4.99 on the
facing page where the RS485 links are shown from User System to Beam Interlock Controller. In
this example there are only four User Interfaces connected to the controller, one of the User
Interfaces is shown as an extended version, having a Fibre Extender kit installed for signal
transmission.
A text log is also created showing the status of the system at the controller level, in this case it can
be seen that one of the redundant power supplies of User Interface #144 (CIBU 144) is
malfunctioning. A maintenance item is created, and th operator is clearly informed. The
supervision software will inform operators of failures that allow operation to continue, as they do
not effect system safety. A typical controller can have up to fourteen inputs, clicking the ‘More...’
button brings up a large screen highlighting the whole controller, it is also possible that this
reduced screen would only show the parts of the system that have failures.
Beam Permit Loops
At the system level the redundant beam permit loops are important for operation. A specialist
screen is foreseen that shows the characteristics of the loops, Figure 4.100 on the next page shows
a typical view.
The frequencies, distributions, number of glitches and error rates are shown at each point of the
beam permit loop. This gives an instant indication of the permit loop function. These figures can
be plotted graphically by clicking on the relevant button, showing the operation of the beam
permit loops with reference to the worst acceptable performance. Numbers in these tables become
orange when they are approaching limiting values, red when they are outside of design
specification.
4.10. SOFTWARE AND SUPERVISION 123
Figure 4.99: Specialist Supervision Beam Interlock Controllers
Figure 4.100: Specialist Supervision of the Beam Permit Loops
124 CHAPTER 4. BEAM INTERLOCK SYSTEM REALISATION
Figure 4.101: Specialist Test Screens at the Controller Level
Figure 4.102: Specialist Test Screens at the System Level
4.10. SOFTWARE AND SUPERVISION 125
Test Mode
Test mode is one of the most important functions of the Beam Interlock System during
commissioning and before injection, numerous specialist screens are foreseen that aid in the
implementation of this function. Test mode is a powerful tool, it’s expected that it will be briefly
used at the start of every mission, to ensure the functionality of key parts of the system, a full
system test is expected to be ran periodically, at intervals between one month and one year
depending on circumstances. Essentially the test mode allows USER PERMIT A to be set to
TRUE whilst B is set FALSE and vice-versa, it also gives a method for testing
BEAM PERMIT INFO, which can be forced to TRUE on command. Figure 4.101 on the facing
page shows the test screen at the controller level.
Unchecking the ‘all’ boxes at the bottom allow individual User Interfaces to be tested, checking an
‘all’ box overrides the settings at the User Interface level and sets the specified test to every User
Interface. An automated read back can then confirm that the set values are correct, and that the
Beam Interlock Controller is behaving correctly. Figure 4.102 on the preceding page shows a
typical system level test supervision screen where tests can be set at the system level.
At this level it is also possible to read back Safe Beam Flag values, it is foreseen that a test mode
of the Safe Machine Parameters system could set one of the flags to TRUE, the other to
FALSE.
Of course the screens shown here have not yet been realised, these are just starting points to
inspire the supervision software that will be implemented for the system start up in 2007. It may
also be that the full range of screens is not available until some months after the start of LHC, as
priority is given to the more critical functions required for the initial stages of machine operation.
Equally, it is unclear how some specific functions will be implemented, such as the request for
automatic beam-dump of both beams in the generator board, or the automated arming of the
beam permit loops. These problems will be addressed and overcome in due course, unfortunately
not allowing enough time for their inclusion in this thesis.
126 CHAPTER 4. BEAM INTERLOCK SYSTEM REALISATION
Chapter 5
Proof of Concept and First
Experience
The Beam Interlock System has been tested in numerous situations as a precursor to the mass
production and installation of the equipment for the protection of the LHC. A full controller
prototype and a set of User Interfaces were manufactured and rigorously tested in laboratory
conditions, following this a complete preseries of Beam Interlock Controllers and User Interfaces
was made and installed in both the SPS ring and the SPS BA4 extraction for CNGS beam. The
protection of the SPS and in particular the CNGS experiment have been important milestones for
the Beam Interlock System, proving the system operation with real risks in the case of
failure.
5.1 Prototype Testing Examples
The prototype testing covered the complete operation of the Beam Interlock Controller from User
Interface through to beam permit loop, a brief overview of the key test points is presented here,
concerning the testing of the User Interface, Test & Monitor and Manager boards.
The patch-panel and extension boards were also completely verified, these passive components
proved to be reliable and robust, the exploitation of the VME chassis in this manner has been
proven to be sound, making reliable interconnections between components. Appendix O details the
assembly the passive elements in the rear of a VME chassis.
The following pages present the results of tests and measurements carried out on the operation of
the components in the critical path of the Beam Interlock System.
User Interface
The User Interface has been rigorously tested both for its ease of fabrication, function and for
compatibility with User System platforms.
The current loop input was shown to be very versatile, regulating a forward current between 10
and 13mA depending on component values and User System Voltage. The switching threshold
between USER PERMIT FALSE and TRUE is around 3.5mA, with the output changing state
once the input reaches around 1.7 Volts. These characteristics will slowly increase as the
components on the circuit board age, the guaranteed switching level for the optocoupler is 6.3mA,
which is reached once the input voltage exceeds approximately 2 Volts. The absolute maximum
level of input voltage is much higher than the 25V specification as the transistors used in the
design tolerate some 50V before breaking down, nonetheless, Transient Voltage Suppressor (TVS)
diodes are used that have a threshold of 33V. These provide complete overvoltage protection for
the input circuits of the User Interface with little effect on the system response time. Overall, the
input characteristics of the current loop are good, this single circuit can easily accommodate every
User System.
127
128 CHAPTER 5. PROOF OF CONCEPT AND FIRST EXPERIENCE
The propagation delay for a transmission of USER PERMIT through the User Interface has also
been investigated. Figures 5.1 and 5.2 show the results of experiments that recorded some
thousands of USER PERMIT activations and de-activations. A 5V signal was used as an input to
the User Interface current loop. The upper trace shows the input to the User Interface, the lower
traces show the output which has been conditioned by an RS485 receiver. Persistence has been
used on the traces, the shaded purple areas show the range of responses over the thousands of
activations.
Figure 5.1: TRUE to FALSE Figure 5.2: FALSE to TRUE
The propagation delays are acceptable, with typical responses as shown in Table 5.1.
Transition Input to Output Delay
TRUE → FALSE 3.3± 0.5µs
FALSE → TRUE 4.6± 0.5µs
Table 5.1: Time Delay of the CIBU circuits for a 5V User System
Glitch Filters on the Manager Board
The USER PERMIT transmitted from the User Interface is conditioned by the matrix on the
Manager board. Amongst the many tests of this board were measurements concerning the
operation of the glitch filtering circuits. This is one of the more complicated operations
implemented in the matrix CPLDs.
The upper dark-blue trace is the USER PERMIT signal input to the matrix, with the lower
light-blue trace being the signal at the output of the matrix. In this case the Manager board was
equipped with a 2µs filter, slightly longer than the 1.6µs filter specified for the final
implementation.
Figure 5.3: USER PERMIT FALSE ≥ 2µs Figure 5.4: USER PERMIT FALSE < 2µs
Figure 5.3 shows a USER PERMIT change that lasts longer than the filter length, Figure 5.4
shows a change that is shorter than the filter length, which is removed.
5.1. PROTOTYPE TESTING EXAMPLES 129
TEST and MONITOR Mechanisms
The function of the Test & Monitor board has been verified by a small Visual Basic program. The
Test & Monitor board was connected to a single User Interface and the serial transmission between
the devices was verified. Figure 5.5 shows the output of the program, with the connected User
Interface shown at the top of the monitoring screen. The raw data read from the Test & Monitor
board is tabulated on the right-hand side, allowing a bit-level verification of the serial
communications channels. Eventually, this local monitoring screen will be implemented in the
Beam Interlock System supervision software to monitor the status of the complete system.
Figure 5.5: Monitoring of the CIBU via the CIBT and Visual Basic
LOCAL BEAM PERMIT as a USER PERMIT
Connecting one Beam Interlock Controller as an input to another is vital for the operation of the
extraction and injection interlock systems, this is the basic principle for the implementation of the
Master Beam Interlock Controller. A pair of prototype controllers has been used to verify the use
of LOCAL BEAM PERMIT as a USER PERMIT input. Figure 5.6 shows the layout of this
interconnection, where the USER PERMIT from a User Interface connects to a Beam Interlock
Controller, which is subsequently connected to another controller, in the same way as will be
implemented for the Master Beam Interlock Controller.
Figure 5.6: User Interface → Controller → Master
130 CHAPTER 5. PROOF OF CONCEPT AND FIRST EXPERIENCE
The typical response time is shown in Figure 5.7. The upper trace shows the USER PERMIT
input to the User Interface, the middle trace shows the LOCAL BEAM PERMIT output of the
Beam Interlock Controller, the lower trace is the LOCAL BEAM PERMIT of the Master Beam
Interlock Controller.
Figure 5.7: Reponse Time of the Master-Slave Links
The transmission delay between each Beam Interlock Controllers is < 3µs, this will easily
accommodate the requirements of the extraction and injection regions.
Beam Permit Loops
The principle of the beam permit loop have also tested, in this case a small four point loop was
formed, and measurements concerning the frequency propagation characteristics were taken. The
layout of the test loop is shown in Figure 5.8.
Figure 5.8: Simple Three Controller Prototype Beam Permit Loop
The measurement points are marked in blue on Figure 5.8. The four following charts are screen
shots from an oscilloscope connected at the four points of the beam permit loop.
5.2. INTERLOCKING THE SPS 131
Figure 5.9: CIBGOUT vs BIC1 Figure 5.10: CIBGOUT vs BIC2
Figure 5.11: CIBGOUT vs BIC3 Figure 5.12: CIBGOUT vs CIBGIN
Tabulating these results leads to Table 5.2, showing the jitter observed at each point of the
loop.
Distribution Sigma [ns] CIBGOUT BIC1 BIC2 BIC3 CIBGIN
Pessimistic Prediction 0.04 0.11 0.15 0.18 0.24
Observation 0.03 0.07 0.12 0.10 0.15
Table 5.2: Predicted and Observed Performance of the Prototype Beam Permit Loop
An unexpected characteristic of some optical transceivers was the improvement of duty cycle
during transmission, the devices exhibiting these effects have above average characteristics for both
transmitted power and receiver threshold. Generally, the prototype beam permit loop proved the
frequency transmission principle to be sound, with the models derived in section 4.2 shown to have
the correct characteristics.
5.2 Interlocking the SPS
Once the laboratory tests showed that the system was functionally correct, a preseries was made
and installed in the SPS machine.
The SPS has has six points, each is to be eventually fitted with a Beam Interlock Controller, but
for the 2006 testing only a sub-section of the SPS was fitted with a Beam Interlock System. This
was implemented in parallel to the existing SPS interlock system, meaning that the SPS safety
would not be compromised if the Beam Interlock System failed.
There were only five User System installed, requiring three Beam Interlock Controllers.
Figure 5.13 on the next page shows the layout of the installed systems and controllers with respect
to the SPS.
132 CHAPTER 5. PROOF OF CONCEPT AND FIRST EXPERIENCE
Figure 5.13: Beam Interlock Installation in SPS, 2006
The SPS Beam Dump System is located in point one (BA1), at this early stage the beam dumping
system was equipped with a single frequency detection circuit for a single beam permit loop. To
maintain the system safety the permit loops were passed through the A and the B matrices in
series. At the points without controllers a simple bridge was used to complete the permit loops.
Figure 5.14 shows the permit loop implementation in the SPS.
The fibres installed in the SPS give a good basis for functional verification of the beam permit loop
as they have a relatively high attenuation and are typical of those that will be installed in the
LHC. The fibre runs from point 6 to 4 and point 3 to 1 are approximately the same lengths as
those that will be installed between points in LHC. A pessimistic beam permit loop performance
can be inferred using the rules derived in Section 4.2, this can be compared to SPS beam permit
loop observations. The test points are labelled in green on Figure 5.14, Table 5.3 on the facing
page shows the measured optical losses, coupled with the optical characteristics of transmitter and
receiver for each link.
Figure 5.14: Beam Permit Loop and Controller Installation in SPS, 2006
The measurements of the transmitted optical power, link losses and receiver thresholds were used
5.2. INTERLOCKING THE SPS 133
to derive the expected beam permit loop performance and overall jitter at each test point. The
right hand column (shown in blue) of Table 5.3 shows the overall sigma predicted using the
pessimistic model.
Link Transmitter Link Receiver Power Change Overall
Start End Power Loss Threshold Margin in σ σ[dBm] [dB] [dBm] [dBm] [ns] [ns]
BA1 BA6-A -16.49 2.29 -32.79 -14.01 0.1 0.1
BA6-A BA6-B -16.54 0.45 -32.43 -15.44 0.1 0.2
BA6-B BA4-A -15.23 2.91 -32.80 -14.66 0.1 0.3
BA4-A BA4-B -15.85 0.59 -31.33 -14.89 0.1 0.4
BA4-B BA3-A -15.83 2.65 -32.83 -14.35 0.1 0.5
BA3-A BA3-B -15.98 0.44 -31.13 -14.71 0.1 0.6
BA3-B BA1 -16.08 3.88 -31.39 -11.43 0.1 0.7
Table 5.3: Optical Power Budget and Predicted Performance of the Beam Permit Loops in SPS
The observed performance (shown in green) compared to these predictions is shown in
Table 5.4.
Measurement Point TX RX1 RX2 RX3 RX4 RX5 RX6 RX7
Pessimistic Prediction 0.04 0.10 0.20 0.30 0.40 0.50 0.60 0.70
Observation 0.03 0.03 0.07 0.06 0.09 0.08 0.11 0.10
Table 5.4: Predicted and Observed Performance of the SPS Beam Permit Loop
Clearly the model derived for the performance of the beam permit loop provides a very pessimistic
approximation, even in the machine environment. Using this model for the LHC beam permit
loops will ensure that even in the worst case the required Bit Error Rate is achieved.
5.2.1 Software Supervision of the SPS
In addition to the hardware, the SPS Beam Interlock System has been a good testing ground for
the supervision software. Prototype screens have been created that interpret the data read from
the Manager board, allowing the system operation to be visualised. Figure 5.15 shows the
overview screen with controllers installed in points 3, 4 and 6. BA4 on the right of the diagram is
also the location of the extraction interlock system for the CNGS experiment.
Figure 5.15: Overview Supervision Screen Prototype, SPS 2006
134 CHAPTER 5. PROOF OF CONCEPT AND FIRST EXPERIENCE
Figure 5.17 on the facing page shows the supervision screen of a single controller. In this case the
controller has a pair of User Systems connected in two maskable channels. The USER PERMIT
signals from the User Systems are shown on the left hand-side of the screen, followed by the
disable switches and mask settings which lead to the final LOCAL BEAM PERMIT signal on the
right-hand side. The Safe Beam Flag is shown at the top of the screen aligned with the mask
signals.
Expanding the simple view to include the redundant channels leads to Figure 5.18 on the next
page, showing the specialist controller view. This is the same layout as that shown previously, with
the inclusion of the redundant signals for each channel. This screen can be used by machine
interlock specialists to verify the operation of each of the channels, A and B. This is especially
important during a test, when A and B are forced to different values.
5.2.2 Software Interlocks
The SPS Beam Interlock System has also been used as a test bench for the Software Interlock
System (SIS). This system is capable of forming more complex interlocking criteria based on data
retrieved from the operational databases for the equipment.
The interface between the Software Interlock System and Beam Interlock System was implemented
by periodically writing a value to the FESA server running in the Power PC of the VME Chassis.
This server would then write a value to the Monitor FPGA which in turn sets
SOFTWARE PERMIT for the matrices. If the value was not written to the FESA server within a
predefined period, this SOFTWARE PERMIT would be set FALSE and beam operation aborted.
Figure 5.16 shows the communication of this software interlock through the various systems.
Figure 5.16: Software Interlocking in SPS, 2006
5.2. INTERLOCKING THE SPS 135
Figure 5.17: Controller Supervision Screen Prototype, SPS 2006
Figure 5.18: Specialist Supervision Screen Prototype, SPS 2006
136 CHAPTER 5. PROOF OF CONCEPT AND FIRST EXPERIENCE
5.3 Interlocking the CNGS Extraction
CNGS is a new experiment, with the transfer line and magnets only being completed at the end of
2005. The CNGS Beam Interlock System is the sole equipment responsible for the protection of
this part of the accelerator complex, meaning that the CNGS experiment of 2006 has been both
the most critical and rewarding test so far. Machine protection, operation and physics completely
depended on the operation of the Beam Interlock System.
The beam is extracted from the SPS into a short transfer line, called TT40, before being diverted
into the new TT41 beam-line. The extraction region, TT40 and TT41 all have to give permission
for the beam extraction to take place. Four Beam Interlock Controllers have been installed, two
protecting TT40 and the extraction region and two protecting TT41. Figure 5.19 shows the
location of these controllers with respect to the SPS and the TI8 transfer line to LHC. In total
around 30 User Systems were connected to the system.
Figure 5.19: CNGS and TI8 Beam Interlock System, 2006
Protection of the extraction from BA4 ultimately requires a Master Beam Interlock Controller, as
the beam can be directed towards CNGS or LHC depending on the cycle. For 2006 only the
CNGS extraction has been used, so a simple system architecture has been implemented, as shown
in Figure 5.20. The extraction interlock system will be fitted with a Master Beam Interlock
Controller in 2007, to accommodate these more complex extraction criteria.
Figure 5.20: CNGS Controller Hierarchy, 2006
5.3.1 Extraction Procedure
A complex sequence of events must be followed before the beam can be safely transferred out of
the SPS. The extraction essentially consists of the firing of a kicker magnet which diverts the
normally circulating beam into the CNGS transfer lines, the transfer of the beam has to be very
precise, as the tolerances for beam alignment in the transfer lines are very small. Of course the
process for the beam transfer is not as simple as this suggests, it is carried out using a relatively
complex structure of magnets, as shown in Figure 5.21 on the next page.
5.3. INTERLOCKING THE CNGS EXTRACTION 137
Figure 5.21: Magnets and Equipment Around the Extraction Region
This part of the accelerator complex is the orange circle shown on Figure 5.19 on the facing page.
In Figure 5.21 the main horizontal path is the normal trajectory of beam through the SPS
accelerator, with the TT40 transfer line coming off at an angle from this. The various coloured
sections represent the key elements required for the beam transfer.
• Kicker Magnet - this is a normal conducting magnet that can be pulsed, with an activation
taking several microseconds. This magnet is not strong enough to bend the beam into the
TT40 alone, it relies on the Septum Magnet and Orbit Bump Magnets to transfer the beam
successfully.
• Septum Magnet - This is a special magnet which is split into a side with field and a side
without (the upper and lower-sides shown in Figure 5.21). The upper-side has a strong field,
when the beam passes through this it is deflected through a large angle, aimed down the
extraction region. The septum magnet is also pulsed, taking several milliseconds to reach full
field strength.
• Orbit Bump Magnets - the four bump magnets shown on Figure 5.21 work together, they can
change the orbit of the beam around the extraction region. When the magnets are powered,
the beam is moved closer to the upper side of the Septum Magnet. These magnets are turned
on and off relatively slowly, allowing a stable change in the orbit of the circulating beam.
All of these elements are required to successfully transfer the SPS beam into the TT40 transfer
line, the sequence of events is as follows:
1. The beam destined for CNGS is injected from the PS into the SPS as at around 28GeV, the
injection of the beam leaves two empty sections of circulating beam. These empty gaps allow
two extractions to be made, each gap give space for the kicker magnet to fire without
spraying beam around the machine while its field rises. Once in the SPS, the beam is
accelerated to 400GeV.
2. Once at 400GeV, the beam is stable, following a centralised closed orbit, as shown in
Figure 5.22 on the following page. This can be verified by observing the beam position using
Beam Position Monitors installed in the SPS.
3. The Septum Magnet is powered around 1.5 seconds before extraction.
4. Around 200ms before extraction, the bump magnets are powered and the beam orbit is
changed so that it passes closer to the upper-side of the Septum Magnet, as shown in
Figure 5.23 on the next page. Throughout this process Beam Position Monitors are used to
determine the correct alignment of the beam.
5. A final check of the system operation is made by looking at beam parameters and reading
the BEAM PERMIT signal from the Beam Interlock System. If the Beam Interlock System
indicates that everything is ready in TT40, TT41 and the extraction region, then the Kicker
Magnet is pulsed. The first part of the beam is deflected into the upper-side of the Septum
Magnet, being transferred out of the SPS machine, as shown in Figure 5.24 on the following
page.
6. The Kicker Magnet is turned off immediately following the extraction.
138 CHAPTER 5. PROOF OF CONCEPT AND FIRST EXPERIENCE
7. Around 50 milliseconds later, steps 5. and 6. are repeated for the second part of the beam.
8. Once all the circulating beam is extracted, the SPS prepares for another beam injection from
the PS accelerator.
Figure 5.22: Normal SPS Closed Orbit
Figure 5.23: SPS Bumped Orbit
Figure 5.24: SPS Beam Extraction
Looking back at Figure 2.1 on page 17 shows that a single extracted batch from the SPS has
almost the same energy as a complete circulating beam in other accelerators, evidently the CNGS
beam has enough stored energy to destroy the extraction region.
5.3. INTERLOCKING THE CNGS EXTRACTION 139
The critical time for the extraction is the interval directly preceding the extraction kick. Within
this time frame all the operational parameters must be within tolerances for the beam to be
successfully transferred. Most equipment surveillance is too slow to be effective, this was evident in
2004, when the Septum Magnet failed milliseconds before extraction resulting in the extracted
beam destroying the vacuum chamber of the TT40 transfer line [45].
This event was a timely reminder of the beam related danger, especially important in the
extraction regions where aperture limitations mean that tolerances are particularly small.
Following this failure it became clear that the existing interlock systems could not protect against
these very fast events in the extraction regions. To overcome this weakness the Fast Magnet
Current-Change Monitor was designed, interlocking the critical magnets and protecting the
accelerator complex against the fastest events.
5.3.2 Current-Change Interlocking for CNGS
The effectiveness of the Fast Magnet Current Change Monitor has been determined by
experiments involving low intensity beam sent through the transfer lines TT40 and TT41 from
SPS [135]. The stored beam energy was below the damage thresholds of the transfer line, allowing
a live test to be carried out without endangering the machine operation. The elements which were
involved in the test are shown in Figure 5.25.
Figure 5.25: Set-up of the Current-Change Monitor Tests
For the test, the Septum Magnet power supply was programmed to change the current of the
magnet just before the extraction kick. The experiments started with the change occurring just
before the extraction kick, where the decaying magnet field was still strong enough to correctly
steer the beam. The time of the current-change was gradually advanced, to a point where the
beam would be mis-steered, replicating the failure which resulted in damage in 2004.
In every case the beam was either extracted within tolerances, or the Fast Magnet-Current Change
Monitor and Beam Interlock System interlocked the extraction kick, protecting the machine from
damage, proving the Machine Protection System function in a live situation.
Analysis of the experiment showed that the current-change monitor is very precise, a change in
current of < 0.1%, equivalent to an angle change of less than 2µ radian was detected and
interlocked successfully by the monitor [135].
This experiment tested the complete interlock chain, from failure, through detection and reaction.
It proved that the complete chain performs to specification in every aspect.
140 CHAPTER 5. PROOF OF CONCEPT AND FIRST EXPERIENCE
5.3.3 Software Supervision of the CNGS Extraction
The CNGS supervision is implemented in a similar way to that of the SPS, with a system overview
screen and a detailed view of each controller. Complementing these is a bar graph screen showing
the extraction permit windows from the Beam Interlock System, a typical output is shown in
Figure 5.26. The USER PERMIT signals are stacked one above the other. Green indicates TRUE,
red indicates FALSE. The BEAM PERMIT of system is shown along the bottom of the charts,
essentially being a logical AND of the USER PERMIT signals shown above.
Figure 5.26: Bar Graph Supervision Screen Example from CNGS Extraction, 2006
The two extraction pulses are clearly shown occurring at an interval of less than 100ms. The data
shown in these bar charts is based on the history buffer information read from the controllers,
which is interpreted by software into a detailed record, such as that shown in Figure 5.27.
Figure 5.27: Interpreted History Buffer
Both operators and specialists can view the history buffers to get an impression of the events
during the extraction.
5.3. INTERLOCKING THE CNGS EXTRACTION 141
5.3.4 The VME Chassis in SPS BA4
Building BA4 contains the TT40, TT41 and SPS point 4 Beam Interlock Controllers, front and
rear photographs of these installations are shown below.
Figure 5.28: BA4 Rack
Figure 5.29: Rear of SPS BIC BA4
Figure 5.30: Rear of TT40 BICs
Figure 5.31: Rear of TT41 BICs
This gives an impression as to the complexity of a Beam Interlock Controller. The systems shown
here are only for the interlocking of the CNGS experiment. In 2007 this will become even more
complex as the Master Beam Interlock Controller is implemented, along with the controllers for
the TI8 transfer line.
142 CHAPTER 5. PROOF OF CONCEPT AND FIRST EXPERIENCE
5.4 Scaling to the LHC
All of the electronics for the Beam Interlock System had to be designed and produced in a short
space of time to install and commission both the SPS and CNGS systems ready for beam
operation. Ultimately the goal was to prove the hardware of the Beam Interlock System in the
machine environment, and clearly the Beam Interlock Systems installed in SPS and CNGS have
been effective in protecting the complex, one of the final steps will be the scaling-up of these
systems to protect the LHC machine.
5.4.1 LHC Beam Interlock System Response Time
The first question concerns whether the specified response time of the LHC will be met. The
predicted worst case response time for the LHC system is as shown in Figure 5.32. This is for a
change in USER PERMIT located at LHC point 2, leading to a change in BEAM PERMIT at
point 6, the worst possible transmission case.
Figure 5.32: Predicted Worst Case Response Time for the Beam Interlock System (to scale)
• t0 - USER PERMIT changes state
• t0 to t1 : 7µs - Worst case propagation delay of the User Interface, experience has shown
that the response time is typically 3− 4µs for 5V systems, and 4− 6µs for 24V systems.
• t1 to t2 : 6.5µs - Worst case propagation delay of the cable from User Interface to controller,
1200m at 5.4ns per meter.
• t2 to t3 : 2µs - Propagation delay of the Manager board, with a 1.6µs glitch filter and 0.4µs
for synchronisation.
• t3 - LOCAL BEAM PERMIT changes state
• t3 to t4 : 79.5µs - Worst case propagation delay of light in fibre for half of the LHC, with a
margin added for routing and propagation delays during the electrical to optical conversion.
• t4 to t5 : 5µs - Detection delay, specified as 5µs.
• t5 - BEAM PERMIT changes state
In the worst case the t0 → t5 delay is 100µs exactly matching the design specification of the LHC
Beam Interlock System.
5.4.2 Final Improvements to the System
Implementing the interlock systems in SPS and CNGS have been an excellent opportunity to learn
from the system operation. Amongst the most interesting observations are those concerning
failures of the system. At the time of writing there had been seven interventions to repair problems
related to the Beam Interlock System in the course of around six months operation.
1. CNGS controller persistent bus read error- Due to foreign conductive material
shorting a bus driver.
2. SPS VME chassis PSU failure - Internal VME PSU failure after a 24 hour power cut.
3. CNGS controller ethernet fault - Ethernet controller on the Power PC board crashed.
5.4. SCALING TO THE LHC 143
4. CNGS beam position monitors fault - User System mis-configured, giving pulses on
USER PERMIT.
5. Software interlock initialisation fault - Delayed rearming of the SPS Beam Interlock
System after a VHDL upgrade was applied to the monitor FPGAs of the SPS Manager
boards.
6. Software interlock fault - Stuck at FALSE following the introduction of a new SPS cycle
type.
7. Software interlock fault - Stuck at FALSE following a bad Internet Protocol (IP) address
configuration between Software Interlock System and Beam Interlock System.
At first glance seven interventions may seem excessive, however only one of these problems was a
Beam Interlock System hardware failure. It is somewhat counter intuitive, but problems are
actually good for the system development, as each is logged and carefully investigated. Failure
analysis is fed back into the design process, leading to an improved design in the subsequent
iterations. Numerous improvements to the Beam Interlock System are scheduled to be addressed
and implemented before the final LHC system is fabricated. These come in response to
observations both from operations and failures such as those listed above.
Quality Management Strategy
Perhaps one of the most critical updates is to the machine interlocks quality management. Now
that the basic function and architecture of the systems is proven in a small preseries, larger series
must be considered as a natural progression. However, one must consider the quality management
of large quantities of devices, in particular the procurement of Automated Test Equipment. Work
is ongoing to create test equipment for each board, which can be used to quickly and accurately
test the function of each and every component. This is absolutely vital if the LHC machine is to
meet the startup deadline of late 2007.
Testing and commissioning of the preseries controllers and User Interfaces was quite a cumbersome
task. It would take many months to test and commission the LHC Beam Interlock System in the
same way. Following the prototype and preseries some system objectives have been set that will
speed up the test and commissioning of the system.
1. Pre-delivery - Automated Test Equipment (ATE) needs to be given to manufacturers so
that they can completely check the function of the electronics which are being shipped to
CERN.
2. Post-delivery - Once the electronics arrive at CERN the same test equipment should be
available to quickly and accurately determine whether everything is functioning correctly, to
ensure that no damage has occurring during delivery.
3. Software - At the controller level, fundamental software is required that shows the status
from User Interface through to LOCAL BEAM PERMIT. This has to include all the TEST
and MONITOR data, with the capability to activate test mode in a safe and robust manner.
4. Sequencer - At the system level a test sequencer is required to automate the final system
test and commissioning that will be carried out before LHC starts, in principle this sequencer
should be able to select to test any part of the system, from a single user, to the beam
permit loops. To carry this out the sequencer should have direct links to the LHC User
Systems, Beam Interlock System and Beam Dumping Systems.
5. Transmission Rate - The extra bandwidth available on the link from User Interface to
Controller should be exploited by making the frame transmission almost continuous, as
currently the time delay from a TEST written to the Manager board, and the User Interface
being updated is in the order of one or two seconds.
6. Documentation - Perhaps the most basic requirement of the commissioning process are the
sequences that need to be followed at the level of the Beam Interlock System.
144 CHAPTER 5. PROOF OF CONCEPT AND FIRST EXPERIENCE
Altering the Software Interlock Hierarchy
The software interlock proved to be considerably unreliable, being responsible for several hours of
machine downtime. The implementation used in the SPS creates an operational dependency on
the monitor FPGA on the Manager board, going against the design principles laid out in the early
stages of the system development. Figure 5.33 shows the preferred integration of the Software
Interlock System with the Beam Interlock System, which is proposed for 2007.
Figure 5.33: Proposed Integration of the Software Interlock System
Beam Permit Loop Upgrades
Numerous studies are planned to finalise the implementation of the beam permit loop and the
optical transceivers, there are four open questions concerning this part of the Beam Interlock
System.
Frequency or DC?
The current implementation of the beam permit loop uses 10MHz to represent TRUE and DC for
FALSE. This requires a DC based optical communications system which is quite difficult to realise
as modern market trends are for high bandwidth links using AC coupled transmission. A different
frequency could be sent for the FALSE state, this would allow the link to be designed using AC
coupled transceivers. However, adjusting the components of this link must not be taken lightly, a
bad design implemented here could have a serious effect on system safety and availability.
Figure 5.34: DC versus Frequency Based Operation for the Beam Permit Loops
The parameters of the frequency detectors must match the correspond to the signals on the beam
permit loops, to this end, the detector specification needs to be concluded and approved by all
parties.
Upgrade the Optical Transceiver?
The frequency discussion also has a bearing on the implementation of the Optical Transceiver, it is
being investigated whether this device can be simply upgraded. The key motivations concern the
component choice for the device, these are very mature products and are not supplied by many
companies, also the transmitters and receivers chosen are at the limit of their operation regions
when being used in single mode fibres.
5.4. SCALING TO THE LHC 145
Figure 5.35: Upgrade to the CIBO Transceiver
Numerous alternatives are being explored that contribute to the frequency versus DC
debate.
Upgrade the Switching Circuit?
A failure mode exists in the non-latching Beam Interlock Controllers that has a very small chance
of leading to an erroneous assertion of BEAM PERMIT. The specified switching circuit is an AND
gate, consider that the LOOP IN signal is stopped at logic ‘1’, the value of
LOCAL BEAM PERMIT appears on LOOP OUT. This means if LOCAL BEAM PERMIT
oscillates, then so will the beam permit loop. If the worst case is considered this oscillation could
represent BEAM PERMIT TRUE. To compensate for this a memory element can be used for the
switch, so if LOOP IN does not oscillate, then LOOP OUT is fixed.
Figure 5.36: Proposed Upgrade for the Optical Switching Circuit
This switch would only be implemented in non-latching controllers used in the tree hierarchies.
Preliminary experiments showed that the memory element increased the permit loop jitter by a
factor of three when compared to the AND gate solution. In addition it is also considered poor
CPLD design practice to use an asynchronous input signal as a clock signal in both the rising and
falling edge domains.
Delay Verification?
One of the less critical propositions concerning is that of a ping mechanism. This would allow the
controller synchronisation and fibre delay between each point to be verified. An extra history
buffer record is needed that is logged when the beam permit loop has an edge change when it is in
the FALSE state, in this way the loop delay can be tested during the Beam Interlock System
testing and commissioning.
146 CHAPTER 5. PROOF OF CONCEPT AND FIRST EXPERIENCE
Figure 5.37: Pinging the Beam Permit Loops to Check Delay
The Manager Board and the History Buffer
One final iteration is required on the Manager board to upgrade the VME bus drivers and adjust
some component alignments. At the same time a review will be made of the whole device to see
whether any other changes and modifications are required.
Some VHDL modifications are planned, such as improving the history buffer, which is currently
cumbersome to read and reconstruct, discussions between operations staff, machine interlocks
hardware engineers and software specialists are ongoing in order to find a common solution that
meets the various requirements for the history buffer.
VME Bus Upgrade
The persistent bus read error observed in one of the CNGS controllers proved that hypothetical
pin-to-pin shorts are a real issue, reinforcing the fail-safe pinning criteria. The pin-short forced a
review of the VME bus implementation, resulting in more powerful drivers being specified for the
next Manager board iteration, and for every other card that uses the same bus interface.
The Master Beam Interlock Controller
In 2006 the SPS point 4 extraction interlock system has been implemented using a simple beam
permit loop as there was only one destination for the extracted beam. The master controller is
required for 2007, this will accommodate more complex interlocking criteria, taking into
consideration the beam destination.
Figure 5.38: Required Implementation of the Master BIC for 2007
More design specifications are needed before this can be realised, especially concerning the
proposed architecture of the extraction interlock systems.
5.4. SCALING TO THE LHC 147
Software Supervision
The software supervision worked very well for the CNGS experiment, it allowed numerous
iterations to be safely made and tested in a real machine environment. More work needs to be
carried out to realise the remaining screens that are as yet not available. Work between Machine
Interlock hardware specialists, software programmers and the operations crew is foreseen in the
near future to set the short, medium and strategic plans for the software.
Databases
The configuration database needs to be prepared so that the observed controller configuration can
be automatically verified. This is needed before the machine commissioning begins, so that the
record of each link can be stored from the very beginning. The User Interface Identification
(CIBU ID) will be recorded, along with the cable numbers, cable lengths, hardware platforms,
system engineers and many other details. This database will also allow the history buffer records
of the Beam Interlock Controllers to be adjusted for the cable length between User System and
Interlock Controller.
Coupled with this is the need for a maintenance database to track faults, fixes and change
requests. Without the database it will be very difficult to spot coherent failures that could be
indicative of more serious problems in other parts of the system.
User Interface to Test & Monitor Serial Communications
The serial communications links TEST and MONITOR have been used extensively throughout the
testing of the Beam Interlock Systems installed in SPS and CNGS. On rare occasions an unusual
behaviour is observed where a requested test mode results in the User Interface only accepting half
of the TEST commands, in these cases it signals a communications error to the Test & Monitor.
Preliminary investigations suggest that the DC balance of the links is to blame, this can be
overcome by sending the TEST and MONITOR frames at a higher rate, maybe 1000× the current
one. This will be investigated and VHDL upgrades deployed in the Test & Monitor devices if
warranted.
This should wait until the software screens that exploit these frames are available, to give an
indication of the exact nature of these transmission errors. It has to be noted that an upgrade of
the User Interface VHDL is possible, but is not advised due to the proven operation of the current
version of VHDL in every other respect.
Debugger tools are needed for the links between the User System and User Interface, and the User
Interface and controller. These hardware units should be able to record operation for a given
period of time, this would help to debug troublesome links that could otherwise be tricky to
diagnose in the event of an intermittent fault.
The forward terminating resistors on the RS485 channels USER PERMIT A and B are also to be
removed to ensure that signal integrity is maintained up to and beyond the 1200m limit of the
RS485 links.
148 CHAPTER 5. PROOF OF CONCEPT AND FIRST EXPERIENCE
Chapter 6
Conclusions
This thesis has described the design, realisation and testing of a Beam Interlock System for the
protection of CERN high energy accelerators. The system has been shown to be solid and
dependable from the ground up. Both prototype and preseries testing have proven without doubt
that the system meets its specification. Above all, it has been demonstrated that the system has
flexibility without compromising safety, allowing each and every application to be realised with
just a minimum of modification to the system. Any part of the CERN accelerator complex that
needs beam interlocking can be fitted with an interlock system providing solid defense against
beam related damage.
The LHC is the first accelerator to have a dependability requirement, making the Beam Interlock
System the first of its kind, motivated not only by function, but also by safety and reliability.
Dependability analysis has been used as an integral part of the system design, with failure-mode
analysis giving an extra aspect to electronics design. It was shown that a dual-redundant
architecture using the A and B channels was required to reach the strenuous safety requirements
imposed on the system. With redundant power supplies required to keep the system availability
high, compromising for the increased complexity due to the redundant architecture.
A fundamental aspect to the safety analysis is proof of function. Complete and robust testing and
monitoring of the system has been implemented. This allows an end-to-end test of the system to
be carried out without ever forcing the system into a dangerous state by exploiting the A and B
redundancy.
One further aspect of the system that is both novel and unique is the inclusion of a Safe Beam
Flag that allows a sub-set of the User System inputs to be masked. This will be crucial during
commissioning and the early operation of the LHC machine giving operators the freedom to make
adjustments without endangering the machine.
The system performance, quantified using standard military and mathematical reliability
techniques, has shown to statistically meet both specifications for safety and availability. Meeting
the requirements for Safety Integrity Level 4, the highest that is reasonably attainable for an
electronic system, and generating less than four False Beam Dumps per year due to internal
failure. This investigation of the Beam Interlock System safety forms the foundation of this thesis,
ultimately this is what justifies the award of PhD.
The final proof of the Beam Interlock System described in this thesis has been the successful
operation of the SPS and the CNGS experiment. The Beam Interlock System was vital for the
operation of both. In total, a system around one third the size of LHC was installed, interlocking
the extraction of beam from SPS, towards the neutrino target in Gran Sasso, Italy. The CNGS
project has proven the system is capable of protecting a real physics experiment, working without
issue and giving the operations team confidence, knowing that the Beam Interlock System will act
as dependable safety-net if anything should go wrong.
The next goal for the system development is the mass production and installation of the
equipment in the LHC. By Autumn 2007 the LHC will be online, with the Beam Interlock Systems
being the backbone of the Machine Protection Systems. The Beam Interlock System will prove
decisive in the safe operation of the world’s largest proton-proton accelerator.
149
150 CHAPTER 6. CONCLUSIONS
This thesis was successfully defended at Brunel University on the 20th November 2006. My thanks
to Professor J. Barrows of the John Adams Institute for Accelerator Science, Oxford University
and Professor J. Stonham of Brunel University for their time and their enthusiasm.
Appendix A
RS485 versus Current Loop
Technology
Three different transmission techniques were studied for the Beam Interlock System
communications.
1. Current Loops
2. Optically Isolated RS485 Transmission
3. RS485 Transmission
Communication links of each type were constructed and investigated.
Figure A.1: Current Loop Transmission Circuit
Figure A.2: Optically Isolated RS485 Transmission Circuit
Figure A.3: RS485 Transmission Circuit
151
152 APPENDIX A. RS485 VERSUS CURRENT LOOP TECHNOLOGY
A.1 Current Loop Testing
A one meter current loop connection was established, it exhibited the following characteristics,
where:
• Dark Blue is Vin
• Purple is Vout
Figure A.4: FALSE to TRUE Transmission Using Current Loops
Figure A.5: TRUE to FALSE Transmission Using Current Loops
The line voltages Va and Vb were observed leading to the following plots
• Dark Blue is Vin
• Purple is Va
• Green is Vb
A.1. CURRENT LOOP TESTING 153
Figure A.6: FALSE to TRUE Transmission Current Loop Line Voltages
Figure A.7: TRUE to FALSE Transmission Current Loop Line Voltages
The following table is derived from the graphs:
Transition dV/dt Transmission Delay[V/µs] [µs]
FALSE → TRUE 36 0.550
TRUE → FALSE 720 0.130
Table A.1: Current Loop Observations
The values of dV/dt are very high, this could be compensated by adding capacitance in parallel to
the cable but would lead to an inconsistent response due to cabling effects and a less reliable link
due to the increased component count.
154 APPENDIX A. RS485 VERSUS CURRENT LOOP TECHNOLOGY
A.2 Optocoupled RS485 Testing
An RS485 driver can be used to drive an optically isolated link, with a constant current diode
regulating the optocoupler current at an efficient level. The following diagrams show the response
of a one meter optocoupled RS485 link, where:
• Dark Blue is Vin
• Light Blue is Vout
• Purple is Va (Non Inverting)
• Green is Vb (Inverting)
Figure A.8: FALSE to TRUE Transmission Using Isolated RS485
Figure A.9: TRUE to FALSE Transmission Using Isolated RS485
Transition dV/dt Transmission Delay[V/µs] [µs]
FALSE → TRUE 4.4 1.300
TRUE → FALSE 8.2 0.600
Table A.2: Isolated RS485 Observations
The characteristics of the link are good, however Figure A.9 clearly shows that the output of the
communications channel switches to TRUE before Va and Vb have crossed. This means that the
communications channel is more susceptible to external perturbation than a regular RS485
connection.
A.3. RS485 TESTING 155
A.3 RS485 Testing
A one meter RS485 communications link was constructed using simple transceivers, in these
diagrams:
• Dark Blue is Vin
• Light Blue is Vout
• Purple is Va (Non Inverting)
• Green is Vb (Inverting)
Figure A.10: FALSE to TRUE Transmission Using RS485
Figure A.11: TRUE to FALSE Transmission Using RS485
156 APPENDIX A. RS485 VERSUS CURRENT LOOP TECHNOLOGY
Transition dV/dt Transmission Delay[V/µs] [µs]
FALSE → TRUE 6.5 1.200
TRUE → FALSE 4.3 1.200
Table A.3: RS485 Observations
RS485 meets all the requirements of the communications link: it’s simple, deterministic in both
TRUE to FALSE and FALSE to TRUE transitions, it’s fast and has a low dV/dt. Experiments
such as the one shown in Figure A.12 have proven that RS485 has an inherently high tolerance
against external perturbation. In this experiment ±10V sine waves at varying frequencies were
coupled to the shield of the communications link, it showed no indications of erroneous behaviour,
despite both Va and Vb clearly being effected.
Figure A.12: Example of RS485 Resistance to External Perturbation
Appendix B
Testing a CERN Standard NE12
Cable
The CERN standard cable (NE12) was tested with RS485 communications to determine the
impact of cable length on transmission delay and to see whether the initial cable capacitance could
cause adverse effects on the system response time. In this case approximately 2− 2.5µs pulses
were sent at one second intervals through cables of various lengths. A typical response is shown in
the following series of oscilloscope traces.
• Dark Blue is Vin
• Green is Vout
• Purple is Va (Non Inverting)
• Light Blue is Vb (Inverting)
Figure B.1: 30cm RS485 Delay Figure B.2: 315m RS485 Delay
157
158 APPENDIX B. TESTING A CERN STANDARD NE12 CABLE
Figure B.3: 615m RS485 Delay Figure B.4: 915m RS485 Delay
Figure B.5: 1215m RS485 Delay
Cable capacitive effect is minimal, it does not perturb the operation of the system even with long
links and excessive idle periods. RS485 signals transmitted through the NE12 cable were shown to









Table B.1: NE12 Cable Delay Measurements
These figures can be used to determine the corrective factors that need to be applied to the logged
data of the Beam Interlock Controllers to compensate for cable delay.
Appendix C
LHC Beam Interlock System
User’s List
Table C.1 on the next page shows a complete list of the User Systems installed in the LHC. The
table shows the installations at each point, whether the systems are maskable or unmaskable and
whether they interlock beams independently or simultaneously. Note that in almost every case
systems that interlock the beams independently have a pair of connections per Beam Interlock
Controller. In these cases the Double User Interface can be used to save on both rack space and to
improve system reliability.
159









































































































































































































































































































































































































































































































































































































































































































































































































































TEST and MONITOR Data in the
BIS
D.1 History Buffer Records
The history buffer in the CIBM records a history of events. There are almost 100 records that can
be created, each representing a different changed observed:
Record Name Trigger Signal Change Number
Matrix Inputs
USER PERMIT A 1-14 T → F 14F → T 14
USER PERMIT B 1-14 T → F 14F → T 14
Local Beam Permit
LOCAL BEAM PERMIT A T → F 1F → T 1
LOCAL BEAM PERMIT B T → F 1F → T 1
Beam Permit
FAST & SLOW DETECT A T → F 2F → T 2
FAST & SLOW DETECT B T → F 2F → T 2
Safe Beam Flag
SAFE BEAM FLAG A T → F 1F → T 1
SAFE BEAM FLAG B T → F 1F → T 1
Mask MASK 1-7 T → F 7F → T 7
Latch
LATCH INIT A T → F 1F → T 1
LATCH INIT B T → F 1F → T 1
LATCH REARM A T → F 1F → T 1
LATCH REARM B T → F 1F → T 1
Total 94
Table D.1: Different Types of Records in the History Buffer
D.2 MONITOR Data
161









































D.2. MONITOR DATA 163
Data that can be read from the Manager board concerning the MONITOR data from throughout
the Beam Interlock Controller and User Interfaces is as follows:
Starting with data that originated in the User Interface:
• USER PERMIT A (PA)- read from the CIBU
• USER PERMIT B (PB)- read from the CIBU
• BEAM PERMIT INFO (PI)- read from the CIBU
• USER PERMIT A TX FAULT (PATF)- from the CIBU RS485 transmission circuit
• USER PERMIT B TX FAULT (PATF)- from the CIBU RS485 transmission circuit
• BEAM PERMIT INFO RX FAULT (PIRF)- from the CIBU RS485 reception circuit
• PSU A OK (PSUA)- CIBD A read from the CIBU
• PSU B OK (PSUB)- CIBD B read from the CIBU
• CIBU ID (ID)- a unique ten-bit CIBU identifier 0 - 1023
• TEST RX FAULT (TRF)- receiver timeout from the Manchester decoder
• TEST ERROR (TE)- receiver error from the Manchester decoder
• TEST ON (ON)- ‘1’ when the CIBU is in ‘test’ mode
• TEST LOGIC A (LGA)- the test value applied to USER PERMIT A
• TEST LOGIC B (LGB)- the test value applied to USER PERMIT B
• CIBU B2 (CB2)- the beam functionality of the CIBU (B1 or B2)
• CIBUT PRESENT (UTP)- a test device is locally connected
These are arranged into five bytes and transmitted periodically back to the Beam Interlock
Controller from the CIBU, the format of the bytes is shown in Table D.2.
7 6 5 4 3 2 1 0
0 0 0 PA PB PI TE ON Byte0
0 0 1 PAF PBF PIF PSUA PSUB Byte1
0 1 0 CB2 UTP LGA LGB TRF Byte2
0 1 1 CIBU ID9−5 Byte3
1 0 0 CIBU ID4−0 Byte4
Table D.2: Five 8-bit MONITOR Registers Send by the CIBU
The three remaining addresses, Byte5, Byte6 and Byte7 are used for MONITOR data of the fibre
optic extenders, CIBFU and CIBFC shown in Table D.3.
7 6 5 4 3 2 1 0
1 0 1 FUPA FUPAF FUPB FUPBF FUPI Byte5
1 1 0 FUPIF FUPSU FCURXF FCPA FCPAF Byte6
1 1 1 FCPB FCPBF FCPI FCPIF FCPSU Byte7
Table D.3: Three 8-bit MONITOR Registers Appended to CIBU MONITOR Data by the CIBFx
The description of the CIBFU bits is as follows.
• CIBFU USER PERMIT A (FUPA)- read from the CIBU
• CIBFU USER PERMIT B (FUPB)- read from the CIBU
• CIBFU BEAM PERMIT INFO (FUPI)- read from the CIBU
• CIBFU USER PERMIT A FAULT (FUPAF)- from the CIBU RS485 transmission circuit
• CIBFU USER PERMIT B FAULT (FUPBF)- from the CIBU RS485 transmission circuit
• CIBFU BEAM PERMIT INFO FAULT (FUPIF)- from the CIBU RS485 reception circuit
164 APPENDIX D. TEST AND MONITOR DATA IN THE BIS
• CIBFU PSUs OK (FUPSU)- Both Power supplies in the CIBFU are working correctly
The CIBFC bits are identical, they are identified by replacing CIBFU and FUxxx with CIBFC and
FCxxx respectively. One bit (FCURXF) is reserved for transmission errors in the link, either the
CIBFU or CIBFC can set this, it indicates optical transmission problems between CIBFU and
CIBFC. Altogether this allows the full integrity of the links to be observed and any problems
diagnosed.
The CIBT adds some additional bits concerning the operation of the links to the CIBU. These
which are determined locally in the CIBT:
• BEAM PERMIT INFO TX FAULT (PITF)- in the CIBT RS485 transmission circuit
• TEST TX FAULT (TTF)- in the CIBT RS485 transmission circuit
• MONITOR RX FAULT (MRF)- in the CIBT RS485 reception circuit
• CIBU PRESENT (UP)- if the CIBU is connected and operating
• TEST MONITOR ERROR (TME)- cumulative errors on TEST and MONITOR, 0 - 255.
In the CIBM these values can be found in a pair of 32-bit registers per CIBU with the following
arrangement:
Byte3
31 30 29 28 27 26 25 24
1 0 0 CIBU ID 0
Byte2
23 22 21 20 19 18 17 16
PA PB PI PATF PBTF PIRF PSUA PSUB
Byte1
15 14 13 12 11 10 9 8
ON LGA LGB PITF TTF MRF UP TE
Byte0
7 6 5 4 3 2 1 0
TME7−0
Byte3
31 30 29 28 27 26 25 24
1 0 0 CIBU ID 1
Byte2
23 22 21 20 19 18 17 16
CB2 UTP ID9−4
Byte1
15 14 13 12 11 10 9 8
ID3−0 CIBFU Data
Byte0
7 6 5 4 3 2 1 0
CIBFU Data CIBFC Data
Table D.4: Two 32-bit MONITOR Registers for Each CIBU Read from the CIBT
The 28 registers corresponding to the CIBU statuses is accompanied by a pair of 32-bit registers
which represent the internal status of the CIBT
• BEAM PERMIT INFO B1 A RX (PI1AR) - read locally in the CIBT
• BEAM PERMIT INFO B1 B RX (PI1BR) - read locally in the CIBT
• BEAM PERMIT INFO B1 C RX (PI1CR) - read locally in the CIBT
• BEAM PERMIT INFO B2 A RX (PI2AR) - read locally in the CIBT
• BEAM PERMIT INFO B2 B RX (PI2BR) - read locally in the CIBT
• BEAM PERMIT INFO B2 C RX (PI2CR) - read locally in the CIBT
D.2. MONITOR DATA 165
• TEST A RX (TAR)- being used as the source for TEST data
• TEST B RX (TBR)- being used as the source for TEST data
• MONITOR A TX (MAT)- transmitting MONITOR data
• MONITOR B TX (MBT)- transmitting MONITOR data
• BEAM PERMIT INFO B1 A RX FAULT (PI1ARF) - read locally in the CIBT
• BEAM PERMIT INFO B1 B RX FAULT (PI1BRF) - read locally in the CIBT
• BEAM PERMIT INFO B1 C RX FAULT (PI1CRF) - read locally in the CIBT
• BEAM PERMIT INFO B2 A RX FAULT (PI2ARF) - read locally in the CIBT
• BEAM PERMIT INFO B2 B RX FAULT (PI2BRF) - read locally in the CIBT
• BEAM PERMIT INFO B2 C RX FAULT (PI2CRF) - read locally in the CIBT
• TEST A RX FAULT (TARF)- read locally in the CIBT
• TEST B RX FAULT (TBRF)- read locally in the CIBT
• MONITOR A TX FAULT (MATF)- read locally in the CIBT
• MONITOR B TX FAULT (MBTF)- read locally in the CIBT
• VERSION SC HIGH (VSCH)- serial communications FPGA version upper nibble
• VERSION SC LOW (VSCL)- serial communications FPGA version lower nibble
• VERSION DD HIGH (VDDH)- display driver FPGA version upper nibble
• VERSION DD LOW (VDDL)- display driver FPGA version lower nibble
These are arranged as follows:
Byte3
31 30 29 28 27 26 25 24
1 1 0 0 0 0 0 0
Byte2
23 22 21 20 19 18 17 16
PI1AR PI1BR PI1CR PI2AR PI2BR PI2CR x x
Byte1
15 14 13 12 11 10 9 8
PI1ARF PI1BRF PI1CRF PI2ARF PI2BRF PI2CRF x x
Byte0
7 6 5 4 3 2 1 0
TRA TRB TRAF TRBF MTA MTB MTAF MTBF
Byte3
31 30 29 28 27 26 25 24
1 1 0 0 0 0 0 1
Byte2
23 22 21 20 19 18 17 16
x x x x x x x x
Byte1
15 14 13 12 11 10 9 8
VSCH VSHL
Byte0
7 6 5 4 3 2 1 0
VDDH VDDL
Table D.5: Two 32-bit MONITOR Registers for the CIBT
Finally the CIBM appends six 32-bit registers concerning its own status of operation:
• BEAM PERMIT INFO A TX (PIAT) - read locally in the CIBM
166 APPENDIX D. TEST AND MONITOR DATA IN THE BIS
• BEAM PERMIT INFO B TX (PIBT) - read locally in the CIBM
• BEAM PERMIT INFO C TX (PICT) - read locally in the CIBM
• TEST A TX (TAT)- transmitting TEST data
• TEST B TX (TBT)- transmitting TEST data
• MONITOR A RX (MAR)- being used as the source for MONITOR data
• MONITOR B RX (MBR)- being used as the source for MONITOR data
• TEST B TX FAULT (TBTF)- read locally in the CIBM
• MONITOR A RX FAULT (MARF)- read locally in the CIBM
• MONITOR B RX FAULT (MBRF)- read locally in the CIBM
• BEAM PERMIT INFO TX (PIT) - Transmitted by CIBM (CIBU 1-6)
• BEAM PERMIT INFO TX FAULT (PITF) - read locally in the CIBM (CIBU 1-6)
• SAFE BEAM FLAG A (SBFA) - Received from the SMPR
• SAFE BEAM FLAG B (SBFB) - Received from the SMPR
• SAFE BEAM FLAG A FAULT (SBFAF) - read locally in the CIBM
• SAFE BEAM FLAG B FAULT (SBFBF) - read locally in the CIBM
• VERSION MF HIGH (VMFH)- monitor FPGA version upper nibble
• VERSION MF LOW (VMFL)- monitor FPGA version lower nibble
• VERSION MA HIGH (VMAH)- matrix A FPGA version upper nibble
• VERSION MA LOW (VMAL)- matrix A FPGA version lower nibble
• VERSION MB HIGH (VMBH)- matrix B FPGA version upper nibble
• VERSION MB LOW (VMBL)- matrix B FPGA version lower nibble
This memory mapping is still to be confirmed, as of September 2007. The 36 rows of 32-bit values
read from the CIBM that correspond to the operational status of the Beam Interlock Controller
and User Interfaces. Summarising the tables shown previously shows that the first byte of each
row identifies its contents:
• x82 → x9D are CIBU MONITOR registers
• xC0 → xC1 are CIBT MONITOR registers
• xC2 → xC7 are CIBM MONITOR registers
D.3 TEST data






































168 APPENDIX D. TEST AND MONITOR DATA IN THE BIS
The TEST commands that are written to the CIBU must first be passed to the CIBT from the
CIBM, the signals are as follows:
• CIBU# - The socket number of the User Interface that is to be tested (1-14 in straight
binary)
• AB - The USER PERMIT that is to be tested, logic ‘1’ selects USER PERMIT A, logic ‘0’
selects B.
• TF - The TRUE or FALSE level to be applied to the USER PERMIT selected by AB, logic
‘1’ sets the channel to TRUE, logic ‘0’ sets it FALSE.
• ON - A logic 1’ sets the mode of the CIBU to ‘test’, a logic ‘0’ sets it to ‘operation’.
• RST - Setting all bits to ‘1’ forces the CIBU mode to ‘reset’. After some seconds the CPLD
will restart in the ‘operation’ mode.
These are arranged in the CIBT in the following structure:
Byte3
31 30 29 28 27 26 25 24
1 0 0 CIBU# 0
Byte2
23 22 21 20 19 18 17 16
0 0 AB LG ON AB LG ON
Byte1
15 14 13 12 11 10 9 8
x x x x x x RST RST
Byte0
7 6 5 4 3 2 1 0
x x x x x x x x
Byte3
31 30 29 28 27 26 25 24
1 0 0 CIBU# 1
Byte2
23 22 21 20 19 18 17 16
1 1 AB LG ON AB LG ON
Byte1
15 14 13 12 11 10 9 8
x x x x x x RST RST
Byte0
7 6 5 4 3 2 1 0
x x x x x x x x
Table D.6: Two 32-bit TEST Registers for Each CIBU Written to the CIBT by the CIBM
The CIBT uses byte3 from the CIBM TEST data as an address, this is stored along with the three
remaining bytes, creating a 28 × 32-bit memory for the TEST data received from the CIBM. This
TEST data is then encoded as four single byte frames that are sent to the relevant CIBU:
7 6 5 4 3 2 1 0
0 0 AB LG ON AB LG ON Copied from 100XXXX0 Byte 2
0 1 RST RST RST RST RST RST Copied from 100XXXX0 Byte 1
1 0 x x x x x x
1 1 AB LG ON AB LG ON Copied from 100XXXX1 Byte 2
Table D.7: Four 8-bit TEST Registers Written to the CIBU by the CIBT
Together the TEST and MONITOR data provides a complete diagnosis of the operation of the
Beam Interlock System, from User Interface to beam permit loop.
Appendix E
Socket and Connector Coding
In the LHC VME chassis, beam-1, beam-2 and both-beam signals can be accommodated by the
patch-panel, which routes the signals to the beam-1 and beam-2 controllers providing the correct
interlocking. The size and gender of the sockets on the panel are coded to ensure that the correct
interlocking is maintained.




Table E.1: Socket Coding for the LHC Patch-Panel (CIBPL)
The SPS patch-panel allows two independent controllers to be implemented in a single chassis, this
can be used in any part of the CERN complex where only one beam is to be interlocked. There is
no need to differentiate between beams in this case so every connection is made by the same type
of socket.
Socket Size and Gender Beam Connection Type
12-pin female SPS-beam
Table E.2: Socket Coding for the SPS Patch-Panel (CIBPS)
The sockets on the User Interface are also coded, the requirements in this case are not as strict as
for the patch panels, the only critical fault could be a User System that accidentally interlocks the
wrong beam. For example, if a system interlocking beam-2 were to accidentally interlock beam-1,
the results could be catastrophic. On the other hand it is not so critical if a system interlocking
beam-1 were to be accidentally connected to a both-beam socket, the coding is applied to both the
controller and user side of the User Interface electronics, on the controller side:
Socket Size and Gender Beam Connection Type
12-pin female LHC beam-1, LHC both-beam or SPS-beam
12-pin male LHC beam-2
Table E.3: Controller Side Socket Coding for the User Interface (CIBU)
And the user side:
Socket Size and Gender Beam Connection Type
8-pin female LHC beam-1, LHC both-beam or SPS-beam
8-pin male LHC beam-2
Table E.4: User Side Socket Coding for the User Interface (CIBU)
User Systems are encouraged to provide coding to differentiate between beam-1 and beam-2 sockets
within their systems. This isn’t specified as in some cases it is impossible to implement.
169
170 APPENDIX E. SOCKET AND CONNECTOR CODING
This choice of socket encoding also implies that the cable connectors linking the LHC User
Interfaces to the LHC Beam Interlock Controllers is consistent with the beam being interlocked.
Conversely, the same connectors are used throughout the single beam installations:
Figure E.1: Connector and Socket Coding for the SPS and Transfer Line Systems
Figure E.2 shows the three combinations of cables connectors and sockets that can be implemented
in the LHC.
Figure E.2: Connector and Socket Coding for the LHC Systems
The interlocking architecture is hardwired at the input to the LHC Beam Interlock Controller,
automated test sequences in software can be activated to verify the links. The combination of
hardware coding and software verification leads to a robust and secure architecture that prevents




F.1 Cables from User System to User Interface
Three different implementations have been observed in the machine, the first is a twisted pair
cable with the shield left open at one side and a pig-tail connector at the other, as shown in
Figure F.1.
Figure F.1: User System to CIBU cable, with a Single Pig-Tail Shield Connection
Testing of this configuration showed that the link has almost no immunity from external events, as
shown in Table F.1.
One pig-tail, no ground Severity Level
USER PERMIT Setting 0.5kV 1.0kV 2.0kV 4.0kV
TRUE A B B C
FALSE C C C C
Table F.1: EMC Test Results of Circuit in Figure F.1
The second implementation is a twisted pair cable with the shield connected at both sides using
pig-tail connectors, as shown in Figure F.2 on the following page.
171
172 APPENDIX F. ELECTRO-MAGNETIC COMPATIBILITY ANALYSIS
Figure F.2: User System to CIBU cable, with a Pair of Pig-Tail Shield Connections
This link is slightly more immune to external events, but still led to a complete failure at the
highest level of testing, as shown in Table F.2.
Two pig-tails, no ground Severity Level
USER PERMIT Setting 0.5kV 1.0kV 2.0kV 4.0kV
TRUE A A A D
FALSE A A A D
Table F.2: EMC Test Results of Circuit in Figure F.2
The recommended implementation for this interconnection is a twisted pair cable with the shield
fully connected at both sides, and with a pair of ground wires within the cable itself, as shown in
Figure F.3.
Figure F.3: User System to CIBU Cable as Recommended
This link showed the best performance at the highest levels of testing, without any perturbations
being recorded, as shown in Table F.3.
Full connector, grounded wires Severity Level
USER PERMIT Setting 0.5kV 1.0kV 2.0kV 4.0kV
TRUE A A A A
FALSE A A A A
Table F.3: EMC Test Results of Circuit in Figure 4.84 on page 107
F.2. CABLES FROM USER INTERFACE TO CONTROLLER 173
F.2 Cables from User Interface to Controller
The cables from the User Interface to the Beam Interlock Controller have full shielding, and a pair
of ground wires connected at both ends, as shown in Figure F.4.
Figure F.4: User Interface to Controller Cable
Testing on this link has shown that it is immune to problems at all of the tested voltage
levels:
Full connector, grounded wires Severity Level
USER PERMIT Setting 0.5kV 1.0kV 2.0kV 4.0kV
TRUE A A A A
FALSE A A A A
Table F.4: EMC Test Results of Circuit in Figure 4.85 on page 107
174 APPENDIX F. ELECTRO-MAGNETIC COMPATIBILITY ANALYSIS
F.3 Power Supply Testing
The Beam Interlock Controller has a switched mode Power Supply, this was also tested according
to the IEC-61000, with a simple layout as shown in Figure F.5
Figure F.5: EMC Testing of the VME Power Supply
These devices are designed to be used in industrial environments, so it has to be noted that they
have already been tested to the IEC 61000 levels by the supplier [129], however no mention is
given regarding the level of performance achieved during manufacturer testing. The VME Power
Supply showed no ill effects at any of the tested voltage levels.
Severity Level
0.5kV 1.0kV 2.0kV 4.0kV
VME PSU A A A A
Table F.5: EMC Test Results of the VME Power Supply
The CIBD was tested in much the same way as the VME Power Supply, using the same set-up as
shown in Figure 4.86 on page 107. The CIBD uses an enclosed power supply from Tracopower, this
enclosed supply has been manufacturer tested, and is certified as withstanding 1kV interference
[130], to increase the protection level the supply has been encased a second time, and has a mains
supply filter fitted with slow-fuse. The results of the tests are shown in Table F.6.
Severity Level
0.5kV 1.0kV 2.0kV 4.0kV
CIBD A A A D
Table F.6: EMC Test Results of the CIBU Power Supply (CIBD)
It has to be noted that the CIBD and CIBU did not fail at 4.0kV, conducted radiation caused the
Power PC of the VME Chassis to fail, it needed a power cycle to be restored.
Appendix G
Signal Integrity Analysis
G.1 Electrical Length Calculation
A key parameter in the analysis of an interconnection is the electrical length, this relates the signal
wavelength that can be found on the link with the physical link length. If this ratio is high, then
the interconnection must be treated as a high frequency design, with impedance and termination
values considered, a low-frequency analysis is sufficient if this ratio is small. The rise time of an
individual signal is normally determined by the driver parameters, in the case of the MAX3440E,
the rise time of one of the wires of the differential signal is 200ns [84]. The equivalent frequency of
this signal can be found from the following equation [117].
fr =
1
pi × tr (G.1)
Where fr is the frequency in Hertz and tr is the rise time in seconds. This means that a 200ns






Where λr is the wavelength in meters and c is the speed of light in a vacuum. Equating this for
the MAX3440E in a CERN standard NE12 cable leads to a wavelength of 112.5m. The electrical





Where E is the electrical length and l is the cable length in meters. A full length RS485 link of
1200m driven by a MAX3440E has an electrical length of over 10, the specified limit for low
frequency design is 0.05 [115].
G.2 Type-1 Signal Integrity
The link from the User System to the User Interface (CIBU) consists of just three signals:
• USER PERMIT A
• USER PERMIT B
• BEAM PERMIT INFO
USER PERMIT A and B are considered as ‘mission critical’, whereas BEAM PERMIT INFO is
less critical, all three signals are connected using current loops, as this facilitates the
interconnection of the different User System hardware platforms.
175
176 APPENDIX G. SIGNAL INTEGRITY ANALYSIS
G.2.1 USER PERMIT from User System to CIBU
The User System needs to provides a voltage or current source and a switch to drive the
USER PERMIT links, the switch can take the form of a transistor, or a physical device such as a
relay. The CIBU has a small circuits to regulate the current in the loop to optimise the operation
of the optocoupler. The recommended layout of this interconnection is shown in Figure G.1.
Figure G.1: Basic USER PERMIT Current Loop Implementation
The current regulator controls the current in the loop, optimising the switching of the optocoupler,
which serves as a current detector. When the user gives permit, current is allowed to flow, since
the current in the two branches is equal and opposite and the wires are twisted pair, signal
coupling is mostly between these two wires. Full shielding and ground connections augment this
performance, improving the noise immunity.
A simple NPN transistor is recommended as the current loop switch, typically a BC847 is
recommended for a smooth switching when the User System has a 5V supply. Slower 24V systems
can be implemented with a relay for the switching, in this case the rate of change of voltage has to
be limited to around 5V/us to prevent reflection problems on the link. It is inevitable that
mechanical switching components have a settling time, for a typical relay this can be several
milliseconds, so fast interlock systems are not to use a mechanical switch.
The complete circuit has been simulated as two single ended transmission lines with each having a
characteristic impedance of half the differential impedance, this is an approximation. The typical
differential impedance is the a value taken for a CERN standard interconnecting cable [137].
G.2.2 BEAM PERMIT INFO from CIBU to User System
The User Interface provides a contact for BEAM PERMIT INFO, essentially a slow optocoupler,
which is closed when the BEAM PERMIT INFO is FALSE the user can use a current or voltage
interface to readback this value for example with a simple pull-up arrangement, as shown in
Figure G.2.
Figure G.2: Basic BEAM PERMIT INFO Current Loop Implementation
The reaction time of the circuit is somewhat slower than that of the USER PERMIT.
G.3. TYPE-2 SIGNAL INTEGRITY 177
G.3 Type-2 Signal Integrity
The link from the User Interface (CIBU) to the Beam Interlock Controller (BIC) is made using
slew-rate limited balanced differential RS485 signals in a shielded twisted pair cable, altogether
there are five signals in this link:
• USER PERMIT A
• USER PERMIT B
• BEAM PERMIT INFO
• TEST
• MONITOR
USER PERMIT A, B and BEAM PERMIT INFO are DC signals, TEST and MONITOR are
encoded frames, at 31.25kHz.
G.3.1 Differential Signals between CIBU and BIC
The differential signals between the CIBU and BIC are considered as high frequency signals as has
been shown in the previous section. Four different circuit topologies exist for DC links
USER PERMIT and BEAM PERMIT INFO :
• USER PERMIT from CIBU to CIBM through CIBPL with single termination
• USER PERMIT from CIBU to CIBM through CIBPL with double termination
• USER PERMIT from CIBU to CIBM through CIBPS
• BEAM PERMIT INFO from CIBM or CIBT to CIBU
The encoded links TEST and MONITOR have a 62.5kHz basic frequency, with the same basic
topology. The use of redundant and timed frames means that even if a corruption to occur, it
could not lead to machine downtime due to a switch from ‘operation’ to ‘test’ mode. All the
different type-2 signal architectures have been analysed and each has been shown to have an
acceptable performance.
G.4 Type-3 Signal Integrity
Links that go from Controller to Controller are optical, in principle there cannot be any EMC
issues related to these physical links [138].
G.5 Type-4 Signal Integrity
Signals that are transmitted from one card to another within the VME chassis of the Beam
Interlock Controller are slew-rate limited balanced differential RS485 signals with a fundamental
frequency of 250 kHz. The wavelength of the 250kHz signal is identical to that show in Section
[cite] as the same MAX3440E driver is used.
As the interconnecting PCBs are not strictly impedance controlled, the slow rising and falling edges
of the slew-rate limited signals is relied upon to ensure that the integrity of the links is maintained.
The longest physical connection is a Safe Beam Flag signal from the SMPR, which has to traverse
almost the complete CIBP, in the LHC there are a pair of Safe Beam Flags for each CIBM:
178 APPENDIX G. SIGNAL INTEGRITY ANALYSIS
Figure G.3: Safe Beam Flag Transmission within an LHC Patch Panel (CIBPL)
The same flag is used in a multi-drop arrangement in the SPS:
Figure G.4: Safe Beam Flag Transmission within an SPS Patch Panel (CIBPS)
Again the MAX3440E transceiver is used, but this time the maximum length is just one meter,
this gives an electrical length of less than 0.01. This can be treated as a low frequency link,
simulation show that there are absolutely no integrity issues with any of the Type-4 RS485
differential board-to-board links.
G.6 Type-5 Signal Integrity
Type-5 links are those that can be found on the same PCB, where a signal passes from one
integrated circuit to another on the same board. There are numerous Type-5 signals to be
considered, in order to analyse the links the simplest approach is to determine the electrical length
of only fastest signals ensuring that they can all be considered as low-frequency signals.
G.6.1 Worst Case Type-5 Link
The longest link on the CIBM is from the lower RS485 transceivers to the upper matrix. The
USER PERMIT signal is derived from the differential signals by the MAX3440E transceiver and
although the differential signals are slew rate limited, the TTL output signals from the driver are
G.6. TYPE-5 SIGNAL INTEGRITY 179
not. A rise and fall time for these signals can be determined from values for TTL components
giving a typical rise time of only 5ns [139], this is an equivalent frequency of over 60MHz having a
wavelength just under three meters. if it is to be considered a low frequency link the longest
allowed trace is 14cm, [136] [115]. All of the USER PERMIT links on the CIBM are shorter than
14cm, so no integrity problems exist.
G.6.2 Special Case Type-5 Link
The signal from the CIBO optical transceiver has a fall time of only 1.1ns [140], giving a signal
frequency of 290MHz with a corresponding wavelength of 62cm. This leads to a maximum trace
length of just 3.1cm. This is routing of the LOOP IN and LOOP OUT signals has been
constrained to meet these length limitations.
180 APPENDIX G. SIGNAL INTEGRITY ANALYSIS
Appendix H
Failure Modes, Effects and
Criticality Analysis
Failure Modes, Effects and Criticality Analysis has been carried out on the complete Beam
Interlock System to determine the probability of different failures occurring during a single
ten-hour LHC mission. Table H.1 shows the probabilities of failure of each sub-system of the Beam
Interlock System during a single ten-hour LHC mission. The numbers take into consideration the
quantity of each unit installed in the LHC Beam Interlock System.
Sub-System LHC Quantity P(Fail) per 10-hour mission for all of LHCNo Effect Maintenance False Dump Blind Failure
CIBD 266 4.78E-04 1.13E-02 2.41E-08 0.00E+00
CIBUS 82 3.89E-03 2.34E-03 2.67E-03 3.80E-10
CIBUD 51 4.54E-03 2.61E-03 2.98E-03 2.36E-10
CIBPL 16 1.40E-05 2.80E-05 1.97E-04 0.00E+00
CIBEA 64 5.61E-05 5.61E-05
CIBEB 32 2.80E-05 2.80E-05
CIBT 32 9.08E-04 9.05E-04 4.59E-06
CIBTD 32 4.90E-04 1.80E-05
CIBM 32 1.59E-03 1.59E-03 2.39E-03 1.37E-11
CIBMD 32 9.50E-04 4.62E-06 1.33E-04
CIBO 72 1.42E-04 5.98E-04 5.08E-13
CIBG 4 2.91E-05 2.91E-05 6.40E-05
CIB FAN 32 4.92E-03 7.57E-08
CIB PSU 32 3.20E-03 3.20E-08
Totals 1.31E-02 2.70E-02 9.12E-03 3.27E-08
Table H.1: Sub-System Probability of Failure for the Whole of LHC During a Ten-Hour Mission
H.1 Double User Interface (CIBUD) Example
To give an example of FMECA consider the CIBUD figures shown in Table H.1. The equivalent
hourly probabilities of failure are derived by dividing by 510 which is the number of unit-hours in
an LHC mission:
No Effect Maintenance False Dump Blind Failure
‘NE’ ‘M’ ‘FD’ ‘BF’
8.9× 10−6 5.1× 10−6 5.8× 10−6 7.3× 10−12
Table H.2: Double User Interface Hourly Probability of Failure
The following pages show the Failure Modes, Effects and Criticality Analysis worksheet that has
been used to determine these figures.
181
182 APPENDIX H. FAILURE MODES, EFFECTS AND CRITICALITY ANALYSIS
H.1. DOUBLE USER INTERFACE (CIBUD) EXAMPLE 183
184 APPENDIX H. FAILURE MODES, EFFECTS AND CRITICALITY ANALYSIS
H.1. DOUBLE USER INTERFACE (CIBUD) EXAMPLE 185
186 APPENDIX H. FAILURE MODES, EFFECTS AND CRITICALITY ANALYSIS
H.1. DOUBLE USER INTERFACE (CIBUD) EXAMPLE 187
188 APPENDIX H. FAILURE MODES, EFFECTS AND CRITICALITY ANALYSIS
H.1. DOUBLE USER INTERFACE (CIBUD) EXAMPLE 189
190 APPENDIX H. FAILURE MODES, EFFECTS AND CRITICALITY ANALYSIS
H.1. DOUBLE USER INTERFACE (CIBUD) EXAMPLE 191
192 APPENDIX H. FAILURE MODES, EFFECTS AND CRITICALITY ANALYSIS
H.1. DOUBLE USER INTERFACE (CIBUD) EXAMPLE 193
194 APPENDIX H. FAILURE MODES, EFFECTS AND CRITICALITY ANALYSIS
H.1. DOUBLE USER INTERFACE (CIBUD) EXAMPLE 195
196 APPENDIX H. FAILURE MODES, EFFECTS AND CRITICALITY ANALYSIS
H.1. DOUBLE USER INTERFACE (CIBUD) EXAMPLE 197
The Blind Failure in the worksheet indicates the probability that a single USER PERMIT A OR
USER PERMIT B fails blind, to have a complete blind failure would require that both
USER PERMIT A AND USER PERMIT B fail within the same hour so 2.7× 10−6 is squared to
become 7.3× 10−12 representing the probability of blind failure of both A and B.
This procedure has been repeated for each and every sub-system, deriving hourly probabilities of
failure that have been used to create both Table 4.34 on page 111 and Table H.1 on
page 181.
198 APPENDIX H. FAILURE MODES, EFFECTS AND CRITICALITY ANALYSIS
Appendix I
BEAM PERMIT INFO in the Test
& Monitor Board
The CIBT receives BEAM PERMIT INFO flags from two sources with the RS485 receivers
implemented as shown in Figure I.1.
Figure I.1: Implementation of the CIBT BEAM PERMIT INFO Circuits
Note that only the beam-1 signals are terminated, this allows the same CIBT hardware to operate
with both the LHC and SPS patch-panels. In the LHC CIBT B1 receives BEAM PERMIT INFO
from both CIBM B1 and B2, the CIBT B2 however receives the same three signals twice on its
beam-1 and beam-2 channels. This exploits the multidrop nature of RS485, with the termination
implemented through the beam-1 circuits. Figure I.2 on the following page shows this
implementation.
199
200 APPENDIX I. BEAM PERMIT INFO IN THE TEST & MONITOR BOARD
Figure I.2: Implementation of BEAM PERMIT INFO in the LHC
There is no cross-connection of CIBT BEAM PERMIT INFO signals when the SPS patch-panel is
used, the LEFT CIBT receives the signals from the LEFT CIBM, the RIGHT from the RIGHT. In
order to make the OR circuit of the CIBT function correctly, these signals are passed to both
channels, as shown in Figure I.3.
Figure I.3: Implementation of BEAM PERMIT INFO in the SPS
If anything malfunctions in the BEAM PERMIT INFO link the circuits default to TRUE. The
FAULT signals shown in Figure 4.63 on page 90 are ORed with the BEAM PERMIT INFOs to
force the signal to TRUE if an RS485 fault appears. A single fault does not result in the loss of
operation of the machine as Triple Mode Redundancy allows the failure of an A, B or C link can to
be tolerated before operation must be halted. A majority voter is implemented to determine the
equivalent logic level of these A,B and C links that is to be sent to the User Interface, this has a
very simple truth-table:
201
A B C Output
TRUE TRUE TRUE TRUE
TRUE TRUE FALSE TRUE
TRUE FALSE TRUE TRUE
TRUE FALSE FALSE FALSE
FALSE TRUE TRUE TRUE
FALSE TRUE FALSE FALSE
FALSE FALSE TRUE FALSE
FALSE FALSE FALSE FALSE
Table I.1: Majority Voter Truth Table
A voter is implemented on both the beam-1 and beam-2 circuits before being ORed together to
create the final BEAM PERMIT INFO signal.
202 APPENDIX I. BEAM PERMIT INFO IN THE TEST & MONITOR BOARD
Appendix J
Schematic Examples
The schematics of the Double User Interface are presented in the following pages. There are five
pages, each is spread across a double page.
• Page 1 shows the critical paths USER PERMIT A and USER PERMIT B for the beam-1
circuits.
• Page 2 shows the non critical paths which drive BEAM PERMIT INFO, TEST and
MONITOR for the beam-1 circuits.
• Page 3 shows the critical paths USER PERMIT A and USER PERMIT B for the beam-2
circuits.
• Page 4 shows the non critical paths which drive BEAM PERMIT INFO, TEST and
MONITOR for the beam-2 circuits.
• Page 5 shows the common circuits for power and ground.
The CIBUS is made using the same schematics, expect in this case all of the beam-2 components
are unmounted, leaving only a single interface between User System and Beam Interlock
Controller.
203
204 APPENDIX J. SCHEMATIC EXAMPLES
205
206 APPENDIX J. SCHEMATIC EXAMPLES
207
208 APPENDIX J. SCHEMATIC EXAMPLES
209
210 APPENDIX J. SCHEMATIC EXAMPLES
211
212 APPENDIX J. SCHEMATIC EXAMPLES
213
214 APPENDIX J. SCHEMATIC EXAMPLES
Appendix K
PCB Examples
The following pages shows the top and bottom layers of the CIBUD printed circuit board. It is a
four layer PCB, with the following stack-up:
1. TOP - component side
2. INT1 - internal power plane
3. INT2 - internal ground plane
4. BOTTOM - wiring side
Components are mounted on both the TOP and BOTTOM layers, copper pours are not shown on
the following diagrams, they are used to ground all the unused PCB areas on the upper and lower
layers to improve the EMC characteristics.
215
216 APPENDIX K. PCB EXAMPLES
217
218 APPENDIX K. PCB EXAMPLES
Appendix L
VHDL Examples
Two VHDL modules are described in this appendix, the Manchester Encoder and the Manchester
Decoder. These modules are relatively small, and give a good impression regarding the general
form of VHDL used throughout the Beam Interlock System.
L.1 Manchester Encoder
The Manchester encoder can be configured to transmit data in single or quad byte format.
Figure L.1: Single Byte Transmission Using the Manchester Encoder
Both of these formats are derived from the same VHDL code, changing the generic mapping
changes the size of the final Manchester encoder. Constants within the code also define the
operation of the Manchester encoder, describing the lengths of the various sections that make up
the encoded sequence.
Line 92 calls the combinational function ‘ComplexByteToManchester’ which converts an eight bit
vector into an eighteen bit Manchester encoded equivalent, with an even parity bit. This function
is shown below.
Figure L.2: ComplexByteToManchester Function
219
220 APPENDIX L. VHDL EXAMPLES
L.1. MANCHESTER ENCODER 221
222 APPENDIX L. VHDL EXAMPLES
L.2. MANCHESTER DECODER 223
L.2 Manchester Decoder
The Manchester decoder is matched to the encoder, this includes both transmission rate and
generic sizes. A quad-byte transmission is shown below:
Figure L.3: Quad Byte Transmission Using the Manchester Encoder
The Manchester encoder in the User Interface is configured to send the memory contents of the
CIBU in five successive transmissions of a single-byte without pausing between each frame. This
transmission is as shown below.
Figure L.4: Serialised Data Decoding Using the Manchester Decoder
Line 206 calls the combinational function ‘ComplexManchesterToByte’ which converts eighteen
sampled bits into an eight bit output. This conversion also checks for the integrity of the
transmitted frame at the electrical level, by verifying that each Manchester encoded bit-pair is
coherent and that the parity transmitted is consistent with the decoded byte of data. This
function is shown below.
Figure L.5: ComplexManchesterToByte Function
224 APPENDIX L. VHDL EXAMPLES
L.2. MANCHESTER DECODER 225
226 APPENDIX L. VHDL EXAMPLES
L.2. MANCHESTER DECODER 227
228 APPENDIX L. VHDL EXAMPLES
Appendix M
Display Boards
The Manager Display has around 70 LEDs, arranged as shown below
Figure M.1: The Manager Display (CIBMD)
The Test & Monitor Display has around 140 LEDs, arranged as shown below
229
230 APPENDIX M. DISPLAY BOARDS
Figure M.2: The Test Display (CIBTD)
Appendix N
Photographs of Components
This appendix contains detailed photographs of various components of the Beam Interlock System.
N.1 CIBM Manager & CIBT Test and Monitor Boards
Figure N.1: Front View of the CIBM (left) and CIBT (right) Boards
The CIBM and CIBT are both 6U standard VME boards, notice that the CIBO are fixed onto the
wiring side of the CIBM board.
231
232 APPENDIX N. PHOTOGRAPHS OF COMPONENTS
Figure N.2: Rear View of the CIBM (left) and CIBT (right) Boards
The CIBMD and CIBTD fix onto the component side of the PCBs. This arrangement requires
asymmetrical front panels.
Figure N.3: Plan View of the CIBM Figure N.4: Plan View of the CIBT
The CIBM matrices sit in the upper right hand corner of the CIBM PCB, an optical transceiver
(CIBO) mounted directly behind each one.
N.2. CIBMD MANAGER DISPLAY & CIBTD TEST AND MONITOR DISPLAY BOARDS 233
N.2 CIBMD Manager Display & CIBTD Test and Monitor
Display Boards
Figure N.5: Front View of the CIBMD
Figure N.6: Rear View of the CIBMD
The CIBMD has over 60 LEDs that are triggered using LS123 devices configured as ≈ 100ms
monostables.
234 APPENDIX N. PHOTOGRAPHS OF COMPONENTS
Figure N.7: Front View of the CIBTD Figure N.8: Rear View of the CIBTD
The CIBMD has 140 LEDs that are each driven by a simple transistor. The uppermost row shows
debug information for testing and is not mounted in the final series.
N.3. CIBO OPTICAL TRANSCEIVER 235
N.3 CIBO Optical Transceiver
Figure N.9: Front View of the CIBO Optical Transceiver
The transmitter and receiver are discrete blocks referred to as ‘sugarcubes’ for their resemblance.
N.4 CIBP Patch Panels
Figure N.10: Front View of the LHC Patch Panel CIBPL
Figure N.11: Rear View of the LHC Patch Panel CIBPL
Ground strips are are clearly visible on the rear of the CIBP, this gives a low impedance
connection through the chassis to the patch-panel. The panels in the Beam Interlock Controller
use specially treated metalwork that is electrically conductive.
236 APPENDIX N. PHOTOGRAPHS OF COMPONENTS
Figure N.12: Assembled LHC Chassis Rear View
The LHC chassis has 20 Burndy connectors for connections to User Interfaces. The 21st connector,
which is significantly larger than the others, serves for all the special connections from the Beam
Interlock Controller.
Figure N.13: Assembled SPS Chassis Rear View
The SPS chassis has 28 connectors for User Interfaces, in this case the VME chassis special
connections are given by six small four-pin Burndy connectors. Each is dedicated to a single pair
of differential output signals.
N.5. CIBE EXTENDER BOARDS 237
N.5 CIBE Extender Boards
Figure N.14: Front View of the Type-A Exten-
der CIBEA Figure N.15: Front View of the Type-B Exten-
der CIBEB
The extension boards slide into the rear of the VME chassis connecting to the pins of the ‘P2’
connector. These interconnect a patch panel with the boards installed in the front of the VME
chassis.
N.6 CIBU User Interface
Figure N.16: Front View of the Single User Interface CIBUS
238 APPENDIX N. PHOTOGRAPHS OF COMPONENTS
Figure N.17: Rear View of the Single User Interface CIBUS
The CIBUS provides connections for a single link to the Beam Interlock Controller, shown on the
right hand side above
Figure N.18: Front View of the Double User Interface CIBUD
Figure N.19: Rear View of the Double User Interface CIBUD
The CIBUD provides a pair of connections for the LHC User Systems that interlocks the LHC
beams independently.
N.7. CIBD DC POWER SUPPLY 239
Figure N.20: CIBUD Pictured with the CIBU PCB (unmounted)
Figure N.21: CIBUD PCB Without Metalwork
N.7 CIBD DC Power Supply
Figure N.22: Front View of the CIBD
Figure N.23: CIBUD PCB Without Metalwork
The CIBD power supply is an encased commercial PSU that has been re-enclosed in an conductive
chassis and fitted with a power supply filter. This double enclosure and filtering provides very
good EMC characteristics.
240 APPENDIX N. PHOTOGRAPHS OF COMPONENTS
N.8 TT40 Installation Example
Figure N.24: Front View of the TT40 Beam Interlock Controller
Figure N.25: Rear View of the TT40 Beam Interlock Controller
The TT40 Beam Interlock Controllers are installed in an SPS type chassis. The rear view shows
that a high percentage of the channels are used.
Appendix O
Assembling the Rear Section of a
VME Chassis
The assembly of the rear section of a VME chassis used as a Beam Interlock Controller is relatively
simple, it’s illustrated in the following diagrams.
Figure O.1: Rear of an Empty VME Chassis Equipped with a Card Cage
Figure O.1 shows the rear of a VME chassis, with the added card cage. The runners are only
required to be installed in slots which are directly behind those that are occupied by boards in the
Beam Interlock Controller:
• Slot 4, Beam-1 or LEFT manager board
• Slot 7, Beam-1 or LEFT test and monitor board
• Slot 10, Beam-2 or RIGHT test and monitor board
• Slot 13, Beam-2 or RIGHT manager board
• Slot 16, Reserved for future use
• Slot 19, Safe Machine Parameters Receiver board
Slots 4, 7, 10 and 13 all require CIBEA extension boards, slots 16 and 19 need CIBEB type
extension boards. Figure O.2 on the following page shows the chassis with six extenders in the
runners.
241
242 APPENDIX O. ASSEMBLING THE REAR SECTION OF A VME CHASSIS
Figure O.2: Rear View Showing Card Cage with Extenders on Runners
Figure O.3: Alignment of CIBPx with VME Chassis
The extenders are mated with the VME bus, the the CIBP is aligned as shown in Figure O.3, then
connected. Countersunk screws fasten the CIBP to the VME chassis using standard fixing holes.
The final chassis looks like Figure N.12 on page 236 if it’s an LHC type or N.13 on page 236 if it’s
an SPS type.
List of Figures
1.1 Sub-Atomic Structure [2] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2 Particles of the Standard Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.3 CMS Higgs Decay [4] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.4 Unification of the Forces [2] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.5 The 27km LHC Accelerator with SPS [Not to Scale] [23] . . . . . . . . . . . . . . . 9
1.6 LHC Dipole Magnet Installed in the Machine [24] . . . . . . . . . . . . . . . . . . 10
1.7 The ATLAS Experiment [25] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
1.8 The CMS Experiment [26] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
1.9 The ALICE Experiment [27] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
1.10 The LHC-b Detector [28] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
1.11 Simulation of Higgs boson decay in ATLAS [29] . . . . . . . . . . . . . . . . . . . . 11
1.12 CERN Accelerator Complex, Dimensions and Operational Year Marked [30] . . . . 12
1.13 Nominal LHC Magnetic Cycle - adapted from [31] . . . . . . . . . . . . . . . . . . 13
1.14 The SPS, shown with LHC transfer lines TI2 and TI8 [32] . . . . . . . . . . . . . . 13
1.15 Neutrinos Sent from CERN, Switzerland to Gran Sasso, Italy [33] . . . . . . . . . 14
1.16 SPS is the Source of Neutrinos for the CNGS Experiment [34] . . . . . . . . . . . 14
2.1 Stored Energy of the LHC and other Accelerators [41] . . . . . . . . . . . . . . . . 17
2.2 Beam Intensity and Main Dipole Current in an LHC Cycle . . . . . . . . . . . . . 18
2.3 Layered Metal Plates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
2.4 Damaged Plate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
2.5 Destroyed SPS Vacuum Chamber . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
2.6 5mm Groove in HERA Collimator . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
2.7 Damage to a Tevatron Collimator . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
2.8 Accelerator Structures with Beam Based Protection in the CERN Complex . . . . 20
2.9 Evolution of the LHC Machine Protection System 2000-2006 . . . . . . . . . . . . 21
2.10 Simplified Architecture of the Beam Interlock System . . . . . . . . . . . . . . . . 22
2.11 Response Times of Elements of the Machine Protection System . . . . . . . . . . . 24
2.12 Cross Redundancy Following a Failure, adapted from [68] . . . . . . . . . . . . . . 28
2.13 Specified Probability of Beam Interlock System Failure Modes . . . . . . . . . . . 29
3.1 Research, Development, Prototyping and Installation Schedule of the BIS . . . . . 32
3.2 A Breakdown of the MPS Reaction Time . . . . . . . . . . . . . . . . . . . . . . . 32
3.3 Beam-1, Beam-2 and Both-Beam Interface to the Beam Interlock System . . . . . 33
3.4 LHC Layout with Permit Loops and Controllers and Dumping Systems (not to scale) 34
3.5 Generator and Detector Principle for the BEAM PERMIT signal . . . . . . . . . . 34
3.6 Beam Permit Loops for LHC Beam-2 . . . . . . . . . . . . . . . . . . . . . . . . . 35
3.7 Simple Block Diagram of a pair of LHC Beam Interlock Controllers . . . . . . . . 36
3.8 Fail Safe RS485 Link Implementation . . . . . . . . . . . . . . . . . . . . . . . . . 38
3.9 Redundant Critical Paths and Non-Critical BEAM PERMIT INFO . . . . . . . . 39
3.10 Simple Block Diagram of the User Interface Hardware . . . . . . . . . . . . . . . . 40
3.11 The Two Variants of the User Interface . . . . . . . . . . . . . . . . . . . . . . . . 40
4.1 Part of the CERN Accelerator Complex and Associated Beam Interlock Systems . 44
4.2 Feedback of Beam Permit from Destination to Source Equipment . . . . . . . . . . 44
4.3 Ring Versus Tree Architectures of the Beam Interlock System . . . . . . . . . . . . 45
4.4 SPS BA4 Extraction to CNGS or LHC . . . . . . . . . . . . . . . . . . . . . . . . 45
4.5 The Electrical Architecture of the Beam Interlock System . . . . . . . . . . . . . . 46
243
244 LIST OF FIGURES
4.6 The Beam Permit Closed-Loop Principle . . . . . . . . . . . . . . . . . . . . . . . 49
4.7 LHC Beam-2 Permit Loops . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
4.8 Permit Loops of the SPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
4.9 The Beam Permit Open-Loop Principle . . . . . . . . . . . . . . . . . . . . . . . . 50
4.10 Permit Loops of the Injection and Extraction Systems . . . . . . . . . . . . . . . . 51
4.11 Creating and Maintaining the Beam Permit Loop 10MHz with 50% Duty Cycle . . 52
4.12 Worst Case Interconnections from Controller to Controller . . . . . . . . . . . . . . 52
4.13 Block Diagram of the Optical Transceiver . . . . . . . . . . . . . . . . . . . . . . . 53
4.14 Detailed Block Diagram of the CIBO Optical Transceiver . . . . . . . . . . . . . . 54
4.15 Testing the Effect of Attenuation on the 10MHz Waveform . . . . . . . . . . . . . 55
4.16 Typical Resulting Histogram for the Beam Permit Loop Period Observations . . . 55
4.17 Results from the Frequency Observation Experiments . . . . . . . . . . . . . . . . 56
4.18 Results of Convolution of Period Errors for Seventeen Retransmissions . . . . . . . 57
4.19 Manifestations of Bit Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
4.20 Experiment Setup to Determine the Bit Error Rate . . . . . . . . . . . . . . . . . 58
4.21 Bit Error Rate as a function of Signal to Noise Ratio . . . . . . . . . . . . . . . . . 58
4.22 Counting the Edges of the Beam Permit Loop Signal During a Sampling Window 60
4.23 Beam Permit Loops with FAST and SLOW Detectors . . . . . . . . . . . . . . . . 61
4.24 Detailed Diagram of the Beam Permit Loop Frequency Generator . . . . . . . . . 61
4.25 Finite State Machine for the Arming of the Beam Permit Loop . . . . . . . . . . . 62
4.26 Automatic Simultaneous Disarm of Both Beam Permit Loops in the LHC . . . . . 62
4.27 Implementation of the Detector Circuits in the BT Systems, with Tertiary Trigger 63
4.28 Using the Tertiary Permit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
4.29 Creating BEAM PERMIT INFO for User Systems . . . . . . . . . . . . . . . . . . 65
4.30 A Single LHC VME Chassis Housing Both Beam-1 and Beam-2 BICs . . . . . . . 66
4.31 Signal Routing through the LHC Patch-Panel (CIBPL) and Extension Cards . . . 67
4.32 Signal Routing through the SPS Patch-Panel (CIBPS) and Extension Cards . . . . 67
4.33 USER PERMIT to Beam Permit Loop Using the LHC Patch-Panel . . . . . . . . 68
4.34 USER PERMIT to Beam Permit Loop Using the SPS Patch-Panel . . . . . . . . . 68
4.35 BEAM PERMIT to LOCAL BEAM PERMIT Using the LHC Patch-Panel . . . . 69
4.36 BEAM PERMIT to LOCAL BEAM PERMIT Using the SPS Patch-Panel . . . . 69
4.37 TEST and MONITOR Using the LHC Patch-Panel . . . . . . . . . . . . . . . . . 70
4.38 TEST and MONITOR Using the SPS Patch-Panel . . . . . . . . . . . . . . . . . . 70
4.39 Block Diagram of the Manager Board with Matrix CPLDs and Monitor FPGA . . 72
4.40 Routing of the Permit Signals in the Manager . . . . . . . . . . . . . . . . . . . . . 72
4.41 Routing of the Safe Beam Flag Signals in the CIBM . . . . . . . . . . . . . . . . . 73
4.42 Routing of the Latch Signals in the CIBM . . . . . . . . . . . . . . . . . . . . . . . 74
4.43 Matrix Electrical Block Diagram . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
4.44 An Example of Fail Safe Routing in an XC95288XL . . . . . . . . . . . . . . . . . 76
4.45 Six Stages Inside the Matrix CPLD . . . . . . . . . . . . . . . . . . . . . . . . . . 76
4.46 Block Diagram of CIBM Matrix Functionality . . . . . . . . . . . . . . . . . . . . 77
4.47 Simple AND Gate, with False Frequency Propagation . . . . . . . . . . . . . . . . 79
4.48 Input and Outputs of the CIBM Monitor . . . . . . . . . . . . . . . . . . . . . . . 81
4.49 Basic Block Diagram of the Monitor FPGA Internal Architecture . . . . . . . . . . 82
4.50 Basic Block Diagram of the CIBM Status Memory . . . . . . . . . . . . . . . . . . 82
4.51 Frequency Detection and Monitoring Block Inside the CIBM Monitor . . . . . . . 83
4.52 Driving the BEAM PERMIT INFO signals . . . . . . . . . . . . . . . . . . . . . . 84
4.53 Block Diagram of the CIBT Status Memory . . . . . . . . . . . . . . . . . . . . . . 85
4.54 Dual Redundant TEST and MONITOR Links Between the CIBM and CIBT . . . 85
4.55 Block Diagram of the History Buffer . . . . . . . . . . . . . . . . . . . . . . . . . . 85
4.56 Communication Link Parameters for CIBT Channels . . . . . . . . . . . . . . . . . 87
4.57 Expanded Block Diagram of the CIBT . . . . . . . . . . . . . . . . . . . . . . . . . 87
4.58 Transmission Through the CIBT . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
4.59 Single Byte Manchester Encoded Frame . . . . . . . . . . . . . . . . . . . . . . . . 88
4.60 Single Byte Manchester Encoded Frame . . . . . . . . . . . . . . . . . . . . . . . . 88
4.61 Manchester Encoder Block Diagram . . . . . . . . . . . . . . . . . . . . . . . . . . 89
4.62 Manchester Decoder Block Diagram . . . . . . . . . . . . . . . . . . . . . . . . . . 89
4.63 Implementation of the CIBT BEAM PERMIT INFO Circuits . . . . . . . . . . . . 90
4.64 Data Transmission Paths for TEST and MONITOR Data . . . . . . . . . . . . . . 92
4.65 Block Diagram of the User Interface (CIBU) . . . . . . . . . . . . . . . . . . . . . 93
LIST OF FIGURES 245
4.66 USER PERMIT Current Regulation in the CIBU . . . . . . . . . . . . . . . . . . 94
4.67 USER PERMIT Current Loop to Differential Conversion in the CIBU . . . . . . . 94
4.68 BEAM PERMIT INFO Differential to Current Loop Conversion in the CIBU . . . 95
4.69 TEST and MONITOR Channel Implementation in the CIBU . . . . . . . . . . . . 95
4.70 External and Internal Sources of MONITOR Data . . . . . . . . . . . . . . . . . . 96
4.71 CIBU CPLD Internal Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
4.72 CIBU Front Panel LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
4.73 USER PERMIT Circuit with TEST and MONITOR in the CIBU . . . . . . . . . 97
4.74 BEAN PERMIT INFO Circuit with TEST and MONITOR in the CIBU . . . . . 98
4.75 Power Supply Circuits with MONITOR in the CIBU . . . . . . . . . . . . . . . . . 98
4.76 Single and Double User Interfaces, CIBUS and CIBUD . . . . . . . . . . . . . . . 99
4.77 Extending the CIBU to Controller Link Length . . . . . . . . . . . . . . . . . . . . 100
4.78 Three Types of Cabled Links at the System Level . . . . . . . . . . . . . . . . . . 102
4.79 Typical Board to Board Link at the Controller Level . . . . . . . . . . . . . . . . . 102
4.80 Typical On-Board Link at the Controller Level . . . . . . . . . . . . . . . . . . . . 103
4.81 Typical Active PCB Cross-Section . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
4.82 Typical Interconnecting PCB Cross-Section . . . . . . . . . . . . . . . . . . . . . . 104
4.83 Balanced Differential Signalling, Shields and Ground . . . . . . . . . . . . . . . . . 105
4.84 Recommended User System to User Interface Cable . . . . . . . . . . . . . . . . . 107
4.85 User Interface to Controller Cable . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
4.86 EMC Testing of the VME Power Supply . . . . . . . . . . . . . . . . . . . . . . . . 107
4.87 Development of the System Dependability to Meet Operational Requirements . . . 111
4.88 Diagnosis of Stand-Alone Controller Operation . . . . . . . . . . . . . . . . . . . . 114
4.89 Diagnosis of Controller and CIBU Operation . . . . . . . . . . . . . . . . . . . . . 114
4.90 Diagnosis of Slave-Controller to Master-Controller Link . . . . . . . . . . . . . . . 115
4.91 Diagnosis of an Extended Controller to User Interface Link . . . . . . . . . . . . . 115
4.92 Testing the Beam Interlock System . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
4.93 Test and Commission of Beam Interlock System . . . . . . . . . . . . . . . . . . . 117
4.94 CERN-wide Supervision . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
4.95 Architectural View of the LHC BIS Supervision . . . . . . . . . . . . . . . . . . . . 119
4.96 Bar Graph View of the BA4 Extraction BIS Supervision . . . . . . . . . . . . . . . 121
4.97 Controller Level Simple Supervision . . . . . . . . . . . . . . . . . . . . . . . . . . 121
4.98 Controller Level Floating Bar-Graph . . . . . . . . . . . . . . . . . . . . . . . . . . 122
4.99 Specialist Supervision Beam Interlock Controllers . . . . . . . . . . . . . . . . . . . 123
4.100 Specialist Supervision of the Beam Permit Loops . . . . . . . . . . . . . . . . . . . 123
4.101 Specialist Test Screens at the Controller Level . . . . . . . . . . . . . . . . . . . . 124
4.102 Specialist Test Screens at the System Level . . . . . . . . . . . . . . . . . . . . . . 124
5.1 TRUE to FALSE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
5.2 FALSE to TRUE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
5.3 USER PERMIT FALSE ≥ 2µs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
5.4 USER PERMIT FALSE < 2µs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
5.5 Monitoring of the CIBU via the CIBT and Visual Basic . . . . . . . . . . . . . . . 129
5.6 User Interface → Controller → Master . . . . . . . . . . . . . . . . . . . . . . . . . 129
5.7 Reponse Time of the Master-Slave Links . . . . . . . . . . . . . . . . . . . . . . . . 130
5.8 Simple Three Controller Prototype Beam Permit Loop . . . . . . . . . . . . . . . . 130
5.9 CIBGOUT vs BIC1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
5.10 CIBGOUT vs BIC2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
5.11 CIBGOUT vs BIC3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
5.12 CIBGOUT vs CIBGIN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
5.13 Beam Interlock Installation in SPS, 2006 . . . . . . . . . . . . . . . . . . . . . . . 132
5.14 Beam Permit Loop and Controller Installation in SPS, 2006 . . . . . . . . . . . . . 132
5.15 Overview Supervision Screen Prototype, SPS 2006 . . . . . . . . . . . . . . . . . . 133
5.16 Software Interlocking in SPS, 2006 . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
5.17 Controller Supervision Screen Prototype, SPS 2006 . . . . . . . . . . . . . . . . . . 135
5.18 Specialist Supervision Screen Prototype, SPS 2006 . . . . . . . . . . . . . . . . . . 135
5.19 CNGS and TI8 Beam Interlock System, 2006 . . . . . . . . . . . . . . . . . . . . . 136
5.20 CNGS Controller Hierarchy, 2006 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
5.21 Magnets and Equipment Around the Extraction Region . . . . . . . . . . . . . . . 137
5.22 Normal SPS Closed Orbit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
246 LIST OF FIGURES
5.23 SPS Bumped Orbit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
5.24 SPS Beam Extraction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
5.25 Set-up of the Current-Change Monitor Tests . . . . . . . . . . . . . . . . . . . . . 139
5.26 Bar Graph Supervision Screen Example from CNGS Extraction, 2006 . . . . . . . 140
5.27 Interpreted History Buffer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
5.28 BA4 Rack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
5.29 Rear of SPS BIC BA4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
5.30 Rear of TT40 BICs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
5.31 Rear of TT41 BICs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
5.32 Predicted Worst Case Response Time for the Beam Interlock System (to scale) . . 142
5.33 Proposed Integration of the Software Interlock System . . . . . . . . . . . . . . . . 144
5.34 DC versus Frequency Based Operation for the Beam Permit Loops . . . . . . . . . 144
5.35 Upgrade to the CIBO Transceiver . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
5.36 Proposed Upgrade for the Optical Switching Circuit . . . . . . . . . . . . . . . . . 145
5.37 Pinging the Beam Permit Loops to Check Delay . . . . . . . . . . . . . . . . . . . 146
5.38 Required Implementation of the Master BIC for 2007 . . . . . . . . . . . . . . . . 146
A.1 Current Loop Transmission Circuit . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
A.2 Optically Isolated RS485 Transmission Circuit . . . . . . . . . . . . . . . . . . . . 151
A.3 RS485 Transmission Circuit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
A.4 FALSE to TRUE Transmission Using Current Loops . . . . . . . . . . . . . . . . . 152
A.5 TRUE to FALSE Transmission Using Current Loops . . . . . . . . . . . . . . . . . 152
A.6 FALSE to TRUE Transmission Current Loop Line Voltages . . . . . . . . . . . . . 153
A.7 TRUE to FALSE Transmission Current Loop Line Voltages . . . . . . . . . . . . . 153
A.8 FALSE to TRUE Transmission Using Isolated RS485 . . . . . . . . . . . . . . . . 154
A.9 TRUE to FALSE Transmission Using Isolated RS485 . . . . . . . . . . . . . . . . 154
A.10 FALSE to TRUE Transmission Using RS485 . . . . . . . . . . . . . . . . . . . . . 155
A.11 TRUE to FALSE Transmission Using RS485 . . . . . . . . . . . . . . . . . . . . . 155
A.12 Example of RS485 Resistance to External Perturbation . . . . . . . . . . . . . . . 156
B.1 30cm RS485 Delay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
B.2 315m RS485 Delay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
B.3 615m RS485 Delay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
B.4 915m RS485 Delay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
B.5 1215m RS485 Delay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
D.1 MONITOR Data Transmission from User Interfaces to the Manager . . . . . . . . 162
D.2 TEST Data Transmission from the Manager to User Interfaces . . . . . . . . . . . 167
E.1 Connector and Socket Coding for the SPS and Transfer Line Systems . . . . . . . 170
E.2 Connector and Socket Coding for the LHC Systems . . . . . . . . . . . . . . . . . 170
F.1 User System to CIBU cable, with a Single Pig-Tail Shield Connection . . . . . . . 171
F.2 User System to CIBU cable, with a Pair of Pig-Tail Shield Connections . . . . . . 172
F.3 User System to CIBU Cable as Recommended . . . . . . . . . . . . . . . . . . . . 172
F.4 User Interface to Controller Cable . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
F.5 EMC Testing of the VME Power Supply . . . . . . . . . . . . . . . . . . . . . . . . 174
G.1 Basic USER PERMIT Current Loop Implementation . . . . . . . . . . . . . . . . 176
G.2 Basic BEAM PERMIT INFO Current Loop Implementation . . . . . . . . . . . . 176
G.3 Safe Beam Flag Transmission within an LHC Patch Panel (CIBPL) . . . . . . . . 178
G.4 Safe Beam Flag Transmission within an SPS Patch Panel (CIBPS) . . . . . . . . . 178
I.1 Implementation of the CIBT BEAM PERMIT INFO Circuits . . . . . . . . . . . . 199
I.2 Implementation of BEAM PERMIT INFO in the LHC . . . . . . . . . . . . . . . . 200
I.3 Implementation of BEAM PERMIT INFO in the SPS . . . . . . . . . . . . . . . . 200
L.1 Single Byte Transmission Using the Manchester Encoder . . . . . . . . . . . . . . 219
L.2 ComplexByteToManchester Function . . . . . . . . . . . . . . . . . . . . . . . . . . 219
L.3 Quad Byte Transmission Using the Manchester Encoder . . . . . . . . . . . . . . . 223
L.4 Serialised Data Decoding Using the Manchester Decoder . . . . . . . . . . . . . . . 223
L.5 ComplexManchesterToByte Function . . . . . . . . . . . . . . . . . . . . . . . . . . 223
LIST OF FIGURES 247
M.1 The Manager Display (CIBMD) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
M.2 The Test Display (CIBTD) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
N.1 Front View of the CIBM (left) and CIBT (right) Boards . . . . . . . . . . . . . . . 231
N.2 Rear View of the CIBM (left) and CIBT (right) Boards . . . . . . . . . . . . . . . 232
N.3 Plan View of the CIBM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
N.4 Plan View of the CIBT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
N.5 Front View of the CIBMD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
N.6 Rear View of the CIBMD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
N.7 Front View of the CIBTD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
N.8 Rear View of the CIBTD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
N.9 Front View of the CIBO Optical Transceiver . . . . . . . . . . . . . . . . . . . . . 235
N.10 Front View of the LHC Patch Panel CIBPL . . . . . . . . . . . . . . . . . . . . . . 235
N.11 Rear View of the LHC Patch Panel CIBPL . . . . . . . . . . . . . . . . . . . . . . 235
N.12 Assembled LHC Chassis Rear View . . . . . . . . . . . . . . . . . . . . . . . . . . 236
N.13 Assembled SPS Chassis Rear View . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
N.14 Front View of the Type-A Extender CIBEA . . . . . . . . . . . . . . . . . . . . . . 237
N.15 Front View of the Type-B Extender CIBEB . . . . . . . . . . . . . . . . . . . . . . 237
N.16 Front View of the Single User Interface CIBUS . . . . . . . . . . . . . . . . . . . . 237
N.17 Rear View of the Single User Interface CIBUS . . . . . . . . . . . . . . . . . . . . 238
N.18 Front View of the Double User Interface CIBUD . . . . . . . . . . . . . . . . . . . 238
N.19 Rear View of the Double User Interface CIBUD . . . . . . . . . . . . . . . . . . . 238
N.20 CIBUD Pictured with the CIBU PCB (unmounted) . . . . . . . . . . . . . . . . . 239
N.21 CIBUD PCB Without Metalwork . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
N.22 Front View of the CIBD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
N.23 CIBUD PCB Without Metalwork . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
N.24 Front View of the TT40 Beam Interlock Controller . . . . . . . . . . . . . . . . . . 240
N.25 Rear View of the TT40 Beam Interlock Controller . . . . . . . . . . . . . . . . . . 240
O.1 Rear of an Empty VME Chassis Equipped with a Card Cage . . . . . . . . . . . . 241
O.2 Rear View Showing Card Cage with Extenders on Runners . . . . . . . . . . . . . 242
O.3 Alignment of CIBPx with VME Chassis . . . . . . . . . . . . . . . . . . . . . . . . 242
248 LIST OF FIGURES
List of Tables
1.1 The K-Mesons / Kaons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.2 Standard Model Particles and their Superpartners . . . . . . . . . . . . . . . . . . . 6
1.3 Bosonic String and Superstring Theories . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.4 Past, Present, Future and Hypothetical Colliders [20] . . . . . . . . . . . . . . . . . . 7
1.5 A Brief History of CERN [21] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.6 The Cost of CNGS, LHC and its Experiments . . . . . . . . . . . . . . . . . . . . . . 15
2.1 Beam Parameters of the LHC [42] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
2.2 Quench and Damage Levels for the LHC Machine [43] . . . . . . . . . . . . . . . . . 19
2.3 Response Times of User systems with Typical Causes . . . . . . . . . . . . . . . . . 25
2.4 Probabilities for Unsafe Failure Rates [62] . . . . . . . . . . . . . . . . . . . . . . . . 26
2.5 SIL Requirements after Risk Classification[66] [67] . . . . . . . . . . . . . . . . . . . 27
2.6 Hardware Implementation versus Speed of Response versus Inherent Safety . . . . . 28
3.1 Beam Interlock Systems in the CERN Accelerator Complex . . . . . . . . . . . . . . 31
3.2 RX FAULT and RX of the MAX3440E Transceiver [84] . . . . . . . . . . . . . . . . 38
3.3 Truth Table for the BEAM PERMIT INFO signals . . . . . . . . . . . . . . . . . . . 39
4.1 BEAM PERMIT and BEAM PERMIT INFO in the CERN Accelerator Complex . . 45
4.2 BEAM PERMIT used by Beam Transfer Systems in the CERN Accelerator Complex 48
4.3 Comparison of the Ring and Tree Beam Permit Loop Architectures . . . . . . . . . . 51
4.4 Tabulating the Losses for the Optical Power Budget . . . . . . . . . . . . . . . . . . 53
4.5 Comparison of LED and LASER Diode Technology [95] . . . . . . . . . . . . . . . . 53
4.6 Electrical Characteristics of the ELED Based Optical Transmitter . . . . . . . . . . 54
4.7 Interpretation of the Period Sigma Error Results . . . . . . . . . . . . . . . . . . . . 56
4.8 Probabilities of Glitch Occurence for sampling Windows from 1 to 6µs . . . . . . . . 59
4.9 Mean Time Between Glitch Occurences for sampling Windows from 1 to 6µs . . . . 60
4.10 Specifying the FAST Detection Parameters . . . . . . . . . . . . . . . . . . . . . . . 60
4.11 Specifying the SLOW Detection Parameters . . . . . . . . . . . . . . . . . . . . . . . 61
4.12 Deriving BEAM PERMIT INFO from BEAM PERMIT . . . . . . . . . . . . . . . . 64
4.13 Break-Down of Connections to the LHC Patch-Panel . . . . . . . . . . . . . . . . . . 65
4.14 Polarities and Failure Modes of the CIBM Critical Signals . . . . . . . . . . . . . . . 74
4.15 Mapping a MASK to a USER PERMIT . . . . . . . . . . . . . . . . . . . . . . . . . 78
4.16 Decoding the Source of the Safe Beam Flag . . . . . . . . . . . . . . . . . . . . . . . 79
4.17 Breakdown of the VERSION Bus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
4.18 Valid Values of the Upper Nibble of the VERSION Bus . . . . . . . . . . . . . . . . 80
4.19 CONFIGURATION of the Expected CIBM Matrix Type by Soldered Resistors . . . 80
4.20 Define the Monitor FPGA Base Address . . . . . . . . . . . . . . . . . . . . . . . . . 83
4.21 Manchester Encoded Single / Quad Byte Frame Format . . . . . . . . . . . . . . . . 88
4.22 Majority Voter Truth Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
4.23 Basic Categories of User System in the CERN Accelerator Complex . . . . . . . . . 93
4.24 USER PERMIT Current Loop Specification in the CIBU . . . . . . . . . . . . . . . 94
4.25 Converting TEST Data into Signals Within the CIBU . . . . . . . . . . . . . . . . . 96
4.26 Using CIBU ID to Determine CIBUx Type . . . . . . . . . . . . . . . . . . . . . . . 99
4.27 Summary of Different BIS Link Types Analysed for Integrity and EMC . . . . . . . 102
4.28 Low Frequency Design Limits Due to Electrical Length . . . . . . . . . . . . . . . . . 105
4.29 IEC 61000 Severity Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
4.30 EMC Test Result Classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
249
250 LIST OF TABLES
4.31 EMC Test Results of Circuit in Figure 4.84 on page 107 . . . . . . . . . . . . . . . . 107
4.32 Sample from a Criticality Worksheet . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
4.33 Cross-Correlated FMECA Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
4.34 Results of the BIS Failure Modes, Effects and Criticality Analysis . . . . . . . . . . . 111
5.1 Time Delay of the CIBU circuits for a 5V User System . . . . . . . . . . . . . . . . . 128
5.2 Predicted and Observed Performance of the Prototype Beam Permit Loop . . . . . . 131
5.3 Optical Power Budget and Predicted Performance of the Beam Permit Loops in SPS 133
5.4 Predicted and Observed Performance of the SPS Beam Permit Loop . . . . . . . . . 133
A.1 Current Loop Observations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
A.2 Isolated RS485 Observations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
A.3 RS485 Observations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
B.1 NE12 Cable Delay Measurements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
C.1 List of LHC User Systems and Connections to the Beam Interlock System (July 2007) 160
D.1 Different Types of Records in the History Buffer . . . . . . . . . . . . . . . . . . . . 161
D.2 Five 8-bit MONITOR Registers Send by the CIBU . . . . . . . . . . . . . . . . . . . 163
D.3 Three 8-bit MONITOR Registers Appended to CIBU MONITOR Data by the CIBFx 163
D.4 Two 32-bit MONITOR Registers for Each CIBU Read from the CIBT . . . . . . . . 164
D.5 Two 32-bit MONITOR Registers for the CIBT . . . . . . . . . . . . . . . . . . . . . 165
D.6 Two 32-bit TEST Registers for Each CIBU Written to the CIBT by the CIBM . . . 168
D.7 Four 8-bit TEST Registers Written to the CIBU by the CIBT . . . . . . . . . . . . . 168
E.1 Socket Coding for the LHC Patch-Panel (CIBPL) . . . . . . . . . . . . . . . . . . . . 169
E.2 Socket Coding for the SPS Patch-Panel (CIBPS) . . . . . . . . . . . . . . . . . . . . 169
E.3 Controller Side Socket Coding for the User Interface (CIBU) . . . . . . . . . . . . . 169
E.4 User Side Socket Coding for the User Interface (CIBU) . . . . . . . . . . . . . . . . . 169
F.1 EMC Test Results of Circuit in Figure F.1 on page 171 . . . . . . . . . . . . . . . . 171
F.2 EMC Test Results of Circuit in Figure F.2 on page 172 . . . . . . . . . . . . . . . . 172
F.3 EMC Test Results of Circuit in Figure 4.84 on page 107 . . . . . . . . . . . . . . . . 172
F.4 EMC Test Results of Circuit in Figure 4.85 on page 107 . . . . . . . . . . . . . . . . 173
F.5 EMC Test Results of the VME Power Supply . . . . . . . . . . . . . . . . . . . . . . 174
F.6 EMC Test Results of the CIBU Power Supply (CIBD) . . . . . . . . . . . . . . . . . 174
H.1 Sub-System Probability of Failure for the Whole of LHC During a Ten-Hour Mission 181
H.2 Double User Interface Hourly Probability of Failure . . . . . . . . . . . . . . . . . . . 181
I.1 Majority Voter Truth Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Bibliography
[1] American Physical Society. The American Physical Society Presents ”A Century of
Physics”, post 1995.
http://timeline.aps.org/APS/Timeline/.
[2] ATLAS. ATLAS Physics eTour - Quarks and the scale of things, 2005.
http://www.atlas.ch/etours_physics/etours_physics05.html.
[3] P. Higgs. Broken symmetries, massless particles and gauge fields. In Physics Letters, Volume
12, Issue 2, pages 132-133, 15 September 1964.
http://cdsweb.cern.ch/search.py?recid=641590&ln=en.
[4] CERN. CERN-EX-9710002 Simulation of Higgs decay in the CMS detector, October 1987.
http://doc.cern.ch//archive/electronic/cern/others/PHO/photo-ex/9710002_10.jpeg.
[5] R. Cashmore. The Need to Understand Mass - Department of Physics, OXON, 1993.
http://hepwww.ph.qmw.ac.uk/epp/higgs2.html.
[6] D Castelvecchi. What is direct CP violation?, unknown.
http://www2.slac.stanford.edu/tip/special/cp.htm.
[7] CERN. Supersymmetry physics on (and off) the brane. In CERN Courier, Volume 40,
Number 10, December 2000.
http://www.cerncourier.com/main/article/40/10/19.
[8] Various. Online encyclopedia, 1995-date.
http://www.wikipedia.org/.
[9] CERN. “Is particle research useful?”. CERN public web-pages, 2006.
http://public.web.cern.ch/public/.
[10] SLAC Design Study Group. The Stanford Linear Collider SLC Website, 2003.
http://www2.slac.stanford.edu/vvc/experiments/slc.html.
[11] S. Myers. The LEP collider from design through to approval and commissioning. In The
John Adams Memorial Lecture, 26 November 1990.
http://sl-div.web.cern.ch/sl-div/history/lep_doc.html.
[12] KEK. The KEKB Design Report, 1999.
http://www-acc.kek.jp/KEKB/publication/KEKB_design_report/KEKB%20Design%20Report.html.
[13] J. Seeman et al. Status report on PEP-II performance. In Proceedings from EPAC’00,
Vienna, Austria, 26-30 June 2000.
http://accelconf.web.cern.ch/AccelConf/e00/PAPERS/MOXE03.pdf.
[14] G. H. Hoffstaetter. Future possibilities for HERA. In Proceedings from EPAC’00, Vienna,
Austria, 26-30 June 2000.
http://accelconf.web.cern.ch/AccelConf/e00/PAPERS/MOZE04.pdf.
[15] E. Clements. Twenty years of physics and technology achievements. In FermiNews Number
15, November 2003.
http://www.fnal.gov/pub/ferminews/ferminews03-11-01/p3.html.




[17] NRC. Revealing the Hidden Nature of Space and Time: Charting the Course for Elementary
Particle Physics, page 62. NRC, 2006.
http://www.nap.edu/catalog/11641.html.
[18] F. Tecker. Highlights from CERN: The CLIC Study for a future e+e− Linear Collider, 8
September 2005.
http://clic-study.web.cern.ch/CLIC-Study/Presentations/20050904.pdf.
[19] VLHC Design Study Group. Design Study for a Staged Very Large Hadron Collider, 4 June
2001.
http://tdserver1.fnal.gov/tddoc/DesignStudyReport/upload/PDF/Chap01_final_010604.pdf.
[20] T. Lesiak. Lecture V: Physics of Elementary Particles, 12 January 2006.
http://chall.ifj.edu.pl/~lesiak/lect05_accel.pdf.
[21] CERN - Scientific Information Service - Archive. Chronologie du CERN, 2005.
http://library.cern.ch/archives/chrono/chrono_2002_cern.php.
[22] CERN. Organisations Founding Convention, 1954.
http://public.web.cern.ch/public/Content/Chapters/AboutCERN/WhatIsCERN/CERNName/
CERNName-en.html.
[23] Jean-Luc Caron. LHC-PHO-1997-059 - LHC Layout, September 1997.
http:
//doc.cern.ch//archive/electronic/cern/others/PHO/photo-lhc//lhc-pho-1997-059.jpg.
[24] M. Brice and C. Marcelloni. CERN-EX-0606036 - View of the LHC tunnel with worker..., 21
June 2006.
http://doc.cern.ch//archive/electronic/cern/others/PHO/photo-ex/0606036_01.jpg.
[25] ATLAS Collaboration. ATLAS Detector Photos, ATLAS SE (labelled version), circa 2000.
http://atlas.ch/atlas_photos/fulldetector/fulldetector.html.
[26] CERN AC. CERN-DI-9803027 - Layout of CMS detector, a proposed experiment for the
LHC, March 1998.
http://doc.cern.ch//archive/electronic/cern/others/PHO/photo-di/9803027.jpeg.
[27] Vittorio Frigo. LHC-PHO-1997-206 - ALICE Detector, March 1997.
http:
//doc.cern.ch//archive/electronic/cern/others/PHO/photo-lhc//lhc-pho-1997-206.jpg.




[29] CERN PhotoLab. CERN-DI-2506025 - Simulation by the ATLAS experiment of the decay of
a Higgs boson..., June 1995.
http://doc.cern.ch//archive/electronic/cern/others/PHO/photo-di/9506025.jpeg.
[30] C. Vanoli. CERN-DI-0606052 - Accelerators [sic] complex of CERN, 30 June 2006.
http://doc.cern.ch//archive/electronic/cern/others/PHO/photo-di/0606052.pdf.
[31] O. Bru¨ning et al. The nominal operational cycle of the LHC with beam (version 1). In LHC
Project Note 313, CERN, 25 February 2003.
http://doc.cern.ch//archive/electronic/cern/others/LHC/Note/project-note-313.pdf.
[32] Laurent Guiraud. CERN-DI-0108001 - Plan which shows the LHC and SPS accelerators..., 6
August 2001.
http://doc.cern.ch//archive/electronic/cern/others/PHO/photo-di/0108001_01.jpg.
[33] CERN Council. The European Strategy for Particle Physics. CERN, 2006.
http://council-strategygroup.web.cern.ch/council-strategygroup/Strategy_Brochure.pdf.
[34] Jean-Luc Caron. CERN-DI-0108003 - Neutrinos for the CNGS project will be produced by a
special target and decay tunnel..., 8 August 2001.
http://doc.cern.ch//archive/electronic/cern/others/PHO/photo-di/0108003_01.jpg.
BIBLIOGRAPHY 253
[35] CERN. LHC Cost and Schedule Review Committee Report, 15 December 2003.
http://user.web.cern.ch/user/LHCCost/2003-12-15/CostScheduleReview2.pdf.
[36] CERN. ATLAS Technical Proposal for a General-Purpose pp Experiment at the Large
Hadron Collider at CERN, 15 December 1994.
http://atlas.web.cern.ch/Atlas/TP/NEW/HTML/tp9new/tp9.html.
[37] CERN. CMS Technical Proposal.
[38] CERN. ALICE Technical Proposal for A Large Ion Collider Experiment at the CERN LHC,
15 December 1995.
http://doc.cern.ch//archive/electronic/other/generic/public/cer-000214817.pdf.
[39] CERN. Status of the LHCb Experiment, 30 September 2005.
http://lhcb-doc.web.cern.ch/lhcb-doc/progress/Source/RRB/October_2005/RRB_status.pdf.
[40] CERN. CERN AC Note 2000/03: General description of the CNGS Project, 2000.
http://proj-cngs.web.cern.ch/proj-cngs/GeneralDescriptionVe/GDVe_p03.htm.
[41] R. Assmann and other. requirements for the LHC collimation system. In Proceedings from
EPAC’02, La Vilette, Paris, France, 3-7 June 2002.
adapted fromhttp://accelconf.web.cern.ch/AccelConf/e02/PAPERS/TUAGB001.pdf.
[42] LHC Design Group. LHC Design Report Chapter II - EDMS 445830, 1994.
https://edms.cern.ch/document/445830/5.
[43] R. Schmidt and J. Wenninger. Protection against accidental beam losses at the LHC. In
Proceedings from PAC’05, Knoxville, TN, USA, 16-20 May 2005.
http://epaper.kek.jp/p05/PAPERS/MOPA005.PDF.
[44] V. Kain et al. Material damage test with 450 gev LHC-type beam. In Proceedings from
PAC’05, Knoxville, TN, USA, 16-20 May 2005.
http://accelconf.web.cern.ch/AccelConf/p05/PAPERS/RPPE018.PDF.
[45] B. Goddard. Transfer line damage during high intensity proton beam extraction from the
SPS in 2004. In Proceedings from ICFA-HB 2006, Tsukuba, Japan, 31 May 2006.
http:
//indico.kek.jp/MaKaC/contributionDisplay.py?contribId=63\&sessionId=35\&confId=5.
[46] K. Wittenburg. Very fast beam losses at HERA and what has been done about it. In
Proceedings from ICFA-HB 2006, Tsukuba, Japan, 31 May 2006.
http:
//indico.kek.jp/MaKaC/contributionDisplay.py?contribId=117\&sessionId=35\&confId=5.
[47] N. Mokhov. Beam-induced damage to the tevatron components and what has been done
about it. In Proceedings from ICFA-HB 2006, Tsukuba, Japan, 31 May 2006.
http:
//indico.kek.jp/MaKaC/contributionDisplay.py?contribId=61\&sessionId=35\&confId=5.
[48] F. Bordry et al. LHC Project Report 521 - machine protection for the LHC: Architecture of
the beam and powering interlock systems. Technical report, CERN, Geneva, Switzerland,
2001.
http://doc.cern.ch/archive/electronic/cern/preprints/lhc/lhc-project-report-521.pdf.
[49] R.Schmidt. Diagnostics and protection of LHC equipment. In Proceedings from Chamonix X,
Chamonix, France, 17-21 January 2000.
http://doc.cern.ch//archive/electronic/other/sis/sis-2001-067.pdf.




[51] R. Schmidt. Diagnostics and protection of LHC equipment. In Proceedings from Chamonix
X, Chamonix, France, 17-21 January 2000. CERN.
http://sl-div.web.cern.ch/sl-div/publications/chamx2k/PAPERS/6_5.pdf.
[52] K.-H. Mess. Architecture of the machine protection system. In Proceedings from the
Workshop on LHC Performance, Chamonix XI, Chamonix, France, 15-19 January 2001.
254 BIBLIOGRAPHY
http://documents.cern.ch/archive/electronic/other/uploader/CHAMXI/8-5-khm.pdf.




[54] M. Zerlauth et al. From the LHC reference database to the powering interlock system. In
proceedings from ICALEPCS’03, Gyeongju, Korea, 13-17 October 2003.
http://accelconf.web.cern.ch/AccelConf/ica03/PAPERS/WP514.PDF.
[55] M. Zerlauth. Powering and Machine Protection of the Superconducting LHC Accelerator.
PhD thesis, Graz University in collaboration with CERN, 2004.
http://doc.cern.ch/archive/electronic/cern/preprints/thesis/thesis-2005-050.pdf.
[56] R.C. Agostini et al. PLC-based Interlock System for Superconducting Magnets. SLAC
Internal Publication SLAC-PUB-4976, May 1989.
http://www.slac.stanford.edu/cgi-wrap/getdoc/slac-pub-4976.pdf.
[57] B. Denis et al. The new control and interlock system for the SPS main power converters. In
Proceedings from ICALEPCS’99, Trieste, Italy, 4-8 October 1999. CERN.
http://documents.cern.ch/archive/electronic/other/uploader/ICAL/mc1p28.pdf.
[58] R. Schmidt et al. Beam loss scenarios and strategies for machine protection at the LHC. In
Proceedings from HALO’03, Montauk, Long Island, New York, USA, 19-23 May 2003.
http://doc.cern.ch/archive/electronic/cern/preprints/lhc/lhc-project-report-665.pdf.
[59] R.Schmidt and E. Radermacher. Facing new safety-challenges in a large particle accelerator
experiment at cern. In CMS Internal Note, CERN-CMS-CR-1999-004, 1999.
http://cmsdoc.cern.ch/documents/99/cr99_004.pdf.
[60] M.C. Wilson et al. DIAMOND personnel safety system. In proceedings from ICALEPCS’03,
Gyeongju, Korea, 13-17 October 2003.
http://accelconf.web.cern.ch/AccelConf/ica03/PAPERS/WP515.PDF.
[61] IEC. IEC 61508 - functional safety of electrical/electronic/programmable-electronic safety
related systems. Technical report, IEC, Geneva, Switzerland, 1998.
[62] IEC. IEC 61508-1 - functional safety of electrical/electronic/programmable-electronic safety
related systems, part 1: General requirements. Technical report, IEC, Geneva, Switzerland,
1998. 7.6.2.9 Table 3: high demand or continuous mode operation SIL.
[63] R. Schmidt. Private communication. other accelerator faults when scaled to LHC, 30 June
2006.
[64] A. Drees et al. Reliability of beam loss monitor system for the large hadron collider. In
Proceedings from BIW’04, Geneva, Switzerland, May 2004.
http://www.sns.gov/workshops/20040503_biw04/presentations_for_web/5-4-02_guaglio.ppt.
[65] A. Drees et al. Review of the LHC collimation system - report of the review committee.
Technical report, CERN, Geneva, Switzerland, 2004.
http://lhc-collimation-project.web.cern.ch/lhc-collimation-project/review-report04/
report.pdf.
[66] IEC. IEC 61508-5 - functional safety of electrical/electronic/programmable-electronic safety
related systems, part 5: Examples of methods for determining safety integrity levels.
Technical report, IEC, Geneva, Switzerland, 1998. Appendix B, Table B.1: Example of Risk
Classification of Accidents.




[68] R. Filippini et al. Reliability assessment of the LHC machine protection system. In
Proceedings from PAC’05, Knoxville, TN, USA, 16-20 May 2005.
http://doc.cern.ch/archive/electronic/cern/preprints/lhc/lhc-project-report-812.pdf.
BIBLIOGRAPHY 255
[69] D.D. Reid et al. A VME/X-Windows based control system for a clinical neutron machine. In
Proceedings from ICALEPCS’99, Trieste, Italy, 4-8 October 1999.
http://documents.cern.ch/archive/electronic/other/uploader/ICAL/wc1p50.pdf.
[70] N.G. Leveson. Safeware: System Safety and Computers. Addison-Wesley, 1995. direct quote,
page 27 ISBN 0-201-11972-2.
[71] P.E. Ross. The exterminators. In IEEE Spectrum, September 2005.
http://ieeexplore.ieee.org/iel5/6/32236/01502527.pdf?tp=\&arnumber=1502527.
[72] N.G. Leveson. Safeware: System Safety and Computers. Addison-Wesley, 1995. cited on
page 28, ISBN 0-201-11972-2.
[73] S. Toutoutnchi and A. Lai. FPGA test and coverage. In ITC International Test Conference,
2002.
http://ieeexplore.ieee.org/iel5/8073/22329/01041811.pdf?isNumber=.
[74] P. Garrault. Methodologies for Efficient FPGA Integration into PCBs, 2003.
http://www.xilinx.com/bvdocs/whitepapers/wp174.pdf.
[75] S. Horn et al. Implementation of a personnel safety interlock system based on
reprogrammable I/O hardware. In Proceedings from ICALEPCS’99, Trieste, Italy, 4-8
October 1999. CERN.
http://documents.cern.ch/archive/electronic/other/uploader/ICAL/mc1p05.pdf.
[76] C.R. Scorzato et al. LNLS interlock system. In Proceedings from EPAC’96, Sitges,
Barcelona, Spain, 10-14 June 1996.
http://accelconf.web.cern.ch/accelconf/e96/PAPERS/THPL/THP073L.pdf.
[77] T. Grevsmu¨hl. The RF-station interlock for the european X-Ray laser. In Proceedings from
LINAC’04, Lubeck, Germany, 16-20 August 2004.
http://accelconf.web.cern.ch/accelconf/l04/PAPERS/THP49.pdf.
[78] B. Puccio et al. The beam interlock system for the LHC. Technical report, CERN, 17
February 2005.
https://edms.cern.ch/file/567256/0.2/LHC-CIB-ES-0001-00-10.pdf.
[79] H. Smith et al. Radiation and electrical safety systems for PEP. In Proceedings from
PAC’81, Washington, DC, USA, 11-13 March 1981.
http://accelconf.web.cern.ch/accelconf/p81/PDF/PAC1981_2800.pdf.
[80] NuMI Technical Design Handbook. Chapter 4.8 - controls, interlocks and cable installation
(WBS 1.1.8). Chapter 4.8, FNAL, March 2004.
http://www-numi.fnal.gov/numwork/tdh/TDH_V3_4.8_Controls.pdf.
[81] C.R. Conkling. RHIC beam permit and quench detection communications system. In
Proceedings from PAC’97, Vancouver, BC, Canada, 12-16 May 1997.
http://accelconf.web.cern.ch/accelconf/pac97/papers/pdf/6P023.PDF.
[82] K.-H. Mess et al. Interlock and protection systems for superconducting accelerators:
Machine protection system for LHC. In Proceedings from WAO’01, Villars-sur-Ollon,
Switzerland, 28 January - 2 February 2001. CERN.
http://doc.cern.ch//archive/cernrep/2001/2001-002/p140.pdf.
[83] LHC Crates AB. Order for LHC VME Chassis’, 10 July 2006.
https://edh.cern.ch/Document/TID/2223342.
[84] Dallas / Maxim Semiconductor. ESD-Protected, Fault-Protected, 10Mbps, Fail-Safe
RS-485/J1708 Transceivers, 19-2666, Rev 0, October 2002.
http://pdfserv.maxim-ic.com/en/ds/MAX3440E-MAX3444E.pdf.
[85] P.Dahlen M. Zerlauth and R. Harrison. PIC / WIC for cern magnet protection. CERN.
PLCs use Field-Bus technology which is an extension of RS-485.
[86] S. Xiong et al. Upgrading beam line interlock and control systems at the BSRF. In
Proceedings from ICALEPCS’99, Trieste, Italy, 4-8 October 1999.
http://documents.cern.ch/archive/electronic/other/uploader/ICAL/wc1p02.pdf.
256 BIBLIOGRAPHY
[87] S. Takeda et al. Safety and interlock system for TRISTAN. In Proceedings from PAC’87,
Washington, DC, USA, 16-19 March 1987.
http://accelconf.web.cern.ch/accelconf/p87/PDF/PAC1987_0695.pdf.
[88] Dallas / Maxim Semiconductor. Application note 1064: Designing a 4-20 mA current loop...
Technical report, Dallas / Maxim Semiconductor, 1 May 2002.
http://pdfserv.maxim-ic.com/en/an/AN1064.pdf.
[89] M.R. Wilson. TIA/EIA-422-B overview. Technical report, National Semiconductor, January
2000.
http://www.national.com/an/AN/AN-1031.pdf.
[90] J.Lewis et al. The evolution of the CERN SPS timing system for the LHC era. In
proceedings from ICALEPCS’03, Gyeongju, Korea, 13-17 October 2003.
http://accelconf.web.cern.ch/AccelConf/ica03/PAPERS/MP535.PDF.
[91] Xilinx. XC9500XL high-performance CPLD family data sheet, DS054, v2.2. Technical
report, Xilinx, 25 July 2006.
http://www.xilinx.com/bvdocs/publications/ds054.pdf.
[92] Force Optical Broadcast Systems. Optical link loss budget. Technical report,
http://www.fiber-optics.info/, 2005.
http://www.fiber-optics.info/articles/loss-budget.htm.
[93] Force Optical Broadcast Systems. Table 1 - types of optical connectors. Technical report,
http://www.fiber-optics.info/, 2005. 0.5dB chosen as pessimistic from ST-SM value of
typical 0.4dB
http://www.fiber-optics.info/articles/connector-care.htm%#Table_1.
[94] Fujikura. Large-capacity & low-loss optical transmission in the 1310nm and 1550nm window.
Technical report, http://www.fujikura.co.jp, 2006. guarantees less than 0.35dB per km
http://www.fujikura.co.jp/optcable/ei/sm.html.
[95] G. Snell. An introduction to fibre optics and broadcasting. Technical report, SMPTE
Journal, January 1996.
http://www.leitch.com/resources/tutorials/january.pdf.
[96] Agilent Technologies. Inexpensive dc to 32 MBd fiber-optic solutions ... - application note
1121. Technical report, Agilent Technologies, 18 July 2005.
http://www.avagotech.com/assets/downloadDocument.do?id=177.
[97] Dallas / Maxim Semiconductor. Physical layer performance: Testing the bit error ratio
(BER). Technical report, Dallas / Maxim Semiconductor, October 2004.
http://pdfserv.maxim-ic.com/en/an/3419.pdf.
[98] Xilinx. Device reliability report Q4-05, UG116, v2.9. Technical report, Xilinx, February 2006.
http://www.xilinx.com/bvdocs/userguides/ug116.pdf.
[99] J. le Mauff. CPLD MTBF due to Atmospheric Neutrons at Sea Level, January 2004. private
communication, no problems expected with 9500 technology.
[100] P. Nouchi. CIBM SPS Extraction Equipment, July 2006. failed device due to foreign object
causing pin-pin short.
[101] M. Sampson and H. Leidecker. Tin Whiskers, 20 April 2005.
http://nepp.nasa.gov/whisker/background/index.htm.
[102] P. Alfke. Metastable Recovery in Virtex-II Pro FPGAs, XAPP094, v0.3. Technical report,
Xilinx, November 2002.
http://direct.xilinx.com/bvdocs/appnotes/xapp094.pdf.
[103] K. Chapman. Get Smart About Reset, think Local not Global, TechXclusive. Technical
report, Xilinx, March 2001.
http://www.xilinx.com/xlnx/xweb/xil_tx_home.jsp.
[104] ANSI / VITA. American National Standard for VME64, 10 April 1995.
http://www.vita.com.
BIBLIOGRAPHY 257
[105] ANSI / VITA. American National Standard for VME64 Extensions, 7 October 1998.
http://www.vita.com.
[106] Xilinx. XC9500 In-System Programmable CPLD Family, DS063, v5.4, 3 April 2006.
http://www.xilinx.com/bvdocs/publications/ds063.pdf.
[107] Q. King A. Dinius et al. Radiation Tests on the LHC Power Converter Control Electronics,
Universite Catholique de Louvain-la-Neuve. Technical report, CERN, 12 June 2003.
http://documents.cern.ch//archive/electronic/cern/others/ab/ab-note-2003-041.pdf.
[108] M. Werner. Private Communication, 2005.
[109] B&B Electronics. Current Loop Application Note, CLAN1495, January 1995.
www.bb-elec.com/bb-elec/literature/tech/curentlp.pdf.
[110] R. Schmitt. Electro-Magnetics Explained, pages 290–293. In [141], 2002. Differential and
Common Mode Radiation.
[111] R. Schmitt. Electro-Magnetics Explained, page 269. In [141], 2002. The 5/5 rule, 5ns or
5MHs.
[112] R. Schmitt. Electro-Magnetics Explained, page 286. In [141], 2002. The 3W rule, preventing
crosstalk.
[113] R. Schmitt. Electro-Magnetics Explained, page 266. In [141], 2002. Using encased PCBs for
signals, striplines.
[114] R. Schmitt. Electro-Magnetics Explained, page 267. In [141], 2002. Using copper pours and
stitching in unused sections of PCBs.
[115] R. Schmitt. Electro-Magnetics Explained, pages 8, 14. In [141], 2002. Definition of what is
considered a short electrical length.
[116] R. Schmitt. Electro-Magnetics Explained, page 190. In [141], 2002. Grounding shields.
[117] R. Schmitt. Electro-Magnetics Explained, page 252. In [141], 2002. Frequency spectrum of
digital signals, frequency as a function of rise time.
[118] R. Schmitt. Electro-Magnetics Explained, page 301. In [141], 2002. Using twisted pairs leads
to a B-proof system.
[119] R. Schmitt. Electro-Magnetics Explained, page 301. In [141], 2002. Applying grounds at both
ends leads to a best response at HF.
[120] R. Schmitt. Electro-Magnetics Explained, page 302. In [141], 2002. Balanced signalling is
E-Proof.
[121] A. Charoy. Installation and Remedies (originally in French), page 98. In [142], 1985-2004.
reference 37155-AC4: Ground Wire proximity leads to best performance.
[122] A. Charoy. Installation and Remedies (originally in French), page 101. In [142], 1985-2004.
reference 48105-DP3: Connect both shields of a cable connecting systems.
[123] A. Charoy. Installation and Remedies (originally in French), pages 105–106. In [142],
1985-2004. references 37206-AC3 and 35413-AC3: Put unused wires to ground.
[124] A. Charoy. Installation and Remedies (originally in French), page 20. In [142], 1985-2004.
reference 37171-AC3: General equipment ground connections.
[125] A. Charoy. Installation and Remedies (originally in French), page 71. In [142], 1985-2004.
reference 35173-GC4: Abandon separate grounds.
[126] A. Charoy. Installation and Remedies (originally in French), page 74. In [142], 1985-2004.
reference 37424-AC4: Connected grounds guarantee a good system.
[127] A. Charoy. Installation and Remedies (originally in French), page 91. In [142], 1985-2004.
reference 37425-AC3: There should be only one ground (ground = earth = 0V).
[128] A. Charoy. Installation and Remedies (originally in French), page 106. In [142], 1985-2004.
reference 35413-AC3: Forbid the use of pig-tails in shielding.
258 BIBLIOGRAPHY
[129] W-IE-NE-R Plein & Baus GmbH. Series 6000 lhc vme 64x crate user manual - *00647.a0.
Technical report, W-IE-NE-R, 2003. Page 8: EN 61 000 - 4 - 4: 1995.
[130] Tracopower. Enclosed Power Supplies, TXL Series, 25-600 Wat - 09/05.1. Technical report,
Tracopower, 2005.
http://dsb.tracopower.com/upload/dsbuserfile/cpn_tracopower/mdt_7022/0_txl.pdf.
[131] US DoD. Military Handbook, Reliability Prediction of Electronic Equipment -
MIL-HDBK-217F/i/ii. Technical report, US DoD, 2 December 1991. including addendum i
and ii.
[132] US DoD. Military Handbook, Electronic Reliability Design Handbook - MIL-HDBK-338B.
Technical report, US DoD, 1 October 1998.
[133] US DoD. Military Standard, Procedures for Performing a Failure Modes Effects and
Criticality Analysis - MIL-STD-1629A. Technical report, US DoD, 24 November 1980.
[134] US DoD. Faiure Mode/Mechanism Distributions - FMD-97. Technical report, Reliability
Analysis Centre, 1 October 1998.
[135] J. Wenninger et al. Results of Fast Magnet Current Change Tests. Technical report, CERN,
16 August 2006. unpublished.
[136] R. Schmitt. Electro-Magnetics Explained, page 8. In [141], 2002. Definition of Electrical
Length.
[137] DRAKA Multimedia Cables. Symmetrical FRNC - cables for data transmission and process
control according to CERN specification. Technical report, DRAKA Multimedia Cables, 24
August 2004.
NE P cern spec 165 e.doc.
[138] A. Charoy. Installation and Remedies (originally in French), page 75. In [142], 1985-2004.
reference 37218-AC6: Use Fibre Optics to ensure a galvanic isolation.
[139] L. Davis. Logic Family Slew Rate. Online. Assume 1V/ns from
http://www.interfacebus.com/IC_Output_Slew_Rate.html.
[140] Analog Devices. AD8611/AD8612 Ultrafast 4ns Single Supply Comparators - Revision 0.
Technical report, Analog Devices, 2000.
http://www.analog.com/UploadedFiles/Data_Sheets/703465986AD8611_2_0.pdf.
[141] R. Schmitt. Electro-Magnetics Explained. Newnes, 2002.
[142] A. Charoy. Installation and Remedies (originally in French). AEMC, 1985-2004.
[143] H. Kopka and P.W. Daly. Guide to LATEX. Addison-Wesley, 4th edition edition, 2004.
[144] C. Zamantzas. Real-Time Data Analysis and Decision System for Particle Flux Detection in
the LHC Accelerator at CERN. PhD thesis, Brunel University in collaboration with CERN,
2006.
http://czam.web.cern.ch/czam/Thesis_doc/BLMTC_V8_060117_BRUNEL.pdf.
[145] T. Oetlker et al. The not so short introduction to LATEX2ε 4.20.
http://www.tug.org/tex-archive/info/lshort/english/lshort.pdf, 31 May 2006.
[146] University of Brunel. Brunel University Research Student Guide, 2006.
Glossary of Terms, Acronyms and
Abbreviations
µP Microprocessor
7400 Series The first widespread family of Integrated Circuit families
AGAN As Good As New - This implies that the failure rate of a system is restored to its
original value following a system test
ALARP As Low As Reasonable Possible - The chances of a system unsafe failure should be
ALARP, IEC 61508 defines a statistic value for these failures
ALICE A Large Ion Collider Experiment
ATE Automated Test Equipment
ATLAS A Large Toriodal LHC Apparatus
BA An SPS surface building (1-6)
BaBar A multi-layer particle detector at SLAC
Beam Abort A controlled removal of circulating beam in the SPS or LHC accelerators
Beam Permit Loops Communications channels connecting the Beam Interlock Systems to the
relevant Beam Transfer or beam dumping system
BEAM PERMIT Signals given to the Beam Transfer and beam dumping systems that evaluate to
TRUE when the required User Systems connected to the Beam Interlock System give
permission for beam operation
BEAM PERMIT INFO A signal transmitted from the Beam Interlock System to User Systems
that evaluates to TRUE when the Beam Interlock System gives permission for beam
operation
Belle A particle detector part of the KEKB accelerator complex
BER Bit Error Rate
BERT Bit Error Rate Tester
BESSY Berliner Elektronenspeicherring-Gesellschaft fu¨r Synchrotron Strahlung - Berlin
electron storage ring company for synchrotron radiation
BGA Ball Grid Array
BIC Beam Interlock Controller
BIS Beam Interlock System
BLMS Beam Loss Monitor System
BSRF Beijing Synchrotron Radiation Facility
BT System Beam Transfer System - The control system and kicker magnets that are responsible
for the deflection of beam from one part of the accelerator complex to another
CCC CERN Control Centre
259
260 Glossary of Terms, Acronyms and Abbreviations
CERN European Council for Nuclear Research - commonly referred to as Euporean Centre
for Nuclear Research, or European Centre for Particle Physics
CIBD Controls Interlocks Beam DC - A DC supply for the User Interface electronics
CIBE Controls Interlocks Beam Extenders - The extension boards that link the VME bus to
the patch-panels
CIBF Controls Interlocks Beam Fibre - An extension kit that can be used to increase the
length between User Interface and Beam Interlock Controller above the 1200m
maximum of RS485
CIBG (or CIBMG) Controls Interlocks Beam Generator - The generator of the permit loop
frequency
CIBM Controls Interlocks Beam Manager - The Manager board
CIBM ID An identification bit that informs the Manager board whether it is installed in the left
or the right hand side of a chassis
CIBMD Controls Interlocks Beam Manager Display - The display board attached to the
Manager
CIBO Controls Interlocks Beam Optical - The optical transceiver used to convert light
signals to electronic ones and vice-versa
CIBO.Pxx A specific prototype optical transceiver
CIBP Controls Interlocks Beam Patch - The patch-panel used principally to connect the
VME to the User Interfaces
CIBP ID An identification bit that informs the Manager board whether it is connected to an
SPS or LHC type chassis
CIBT Controls Interlocks Beam Test & Monitor - The Test & Monitor board
CIBTD Controls Interlocks Beam Test Display - The display board attached to the Test &
Monitor
CIBU Controls Interlocks Beam User - The User Interface
CIBU ID A unique ten-bit identification number assigned to each User Interface
CIBUD Controls Interlocks Beam User Double - A double-interface to a User System
CIBUS Controls Interlocks Beam User Single - A single-interface to a User System
CIBV (or CIBMV) Controls Interlocks Beam Verifier - A Manager board configured to
observe the beam permit loops and derive BEAM PERMIT
CIBX (or CIBMX) Controls Interlocks Beam eXtraction - A Manager board configured to
control the extraction regions, replacing the Manager board in the Master Beam
Interlock Controller
CLIC Compact Linear Collider
Closed-Loop A beam permit loop that reads the output of the final stage and uses it to control
the signal generation
CMS Compact Muon Solenoid
CNGS CERN Neutrinos to Gran Sasso
CP Charge Parity
CPLD Complex Programmable Logic Device
CTG Controls Timing Generator - The source of timing information for the CERN
accelerator complex
CTRV Controls Timing Receiver VME - A VME based timing receiver board that
synchronises to the CERN timing system
Current Loops A communications interface that uses current instead of voltage for signalling
Glossary of Terms, Acronyms and Abbreviations 261
dB deciBels
dBm deciBel milliWatts - An absolute value of power referenced to one milliWatt
DC Direct Current - A synonym for constant
DESY Deutsches Elektronen Synchrotron - German Electron Synchrotron
DET Detector - A device implemented in the Beam Transfer or beam dumping system that
determines whether BEAM PERMIT is TRUE or FALSE
Double Interface A User Interface (CIBUD) that allows a pair of interlock connection to be made
between User System and Beam Interlock System(s)
Electrical Length The fraction of a signal’s wavelength that will be present at one time in a given
length of material
ELED Edge Light Emmitting Diode
EMC Electro-Magnetic Compatibility
eV electron-Volt
FAST DETECT Circuits detecting the presence or abscence of a frequency in a short amount of
time having a low accuracy
FermiLab Fermi National Accelerator Laboratory
FESA Front End Software Architecture
FIT Failures in Time - Failures per billion operating hours
FMCM Fast Magnet Current-Change Monitor
FMECA Failure Modes, Effects and Criticality Analysis
FPGA Field Programmable Gate Array
FSM Finite State Machine
GeV Giga electron-Volt = 109 eV
GMT General Machine Timing
GUT Grand Unification Theory
HEP High Energy Physics
HERA Hadron-Elektron-Ringanlage - Hadron-Electron Ring Accelerator
History Buffer A record of events maintained in each Manager board that is synchronised to the
CERN General Machine Timing to within one microsecond
HQ208 A 208 pin flat pack Integrated Circuit
IC Integrated Circuit
IEC 61000 IEC standard related to Electro-Magnetic Compatibility
IEC 61508 Functional safety of electrical/electronic/programmable electronic safety related
systems
ILC International Linear Collider
Independant User System Any User System that interlocks LHC beam-1 and beam-2 separately,
having a different connection to the Beam Interlock System for beam-1 and beam-2
IP Internet Protocol
IR Insetion Region (1-8)
ISOLDE On Line Isotope Mass Separator - A facility at CERN generating radioactive ion
beams for different experiments
ISR Intersecting Storage Rings
262 Glossary of Terms, Acronyms and Abbreviations
JTAG Joint Test Action Group - The name used for the IEEE 1149.1 standard entitled
Standard Test Access Port and Boundary-Scan Architecture
KEK Ko¯ Enerug¯i Kasokuki Kenkyu¯ Kiko¯ - A high energy accelerator research organisation
in Tsukuba, Ibaraki Prefecture, Japan
KEKB An electron-positron collider at KEK
LASER Light Amplification by Stimulated Emmission of Radiation
LBDS LHC Beam Dumping System
LD LASER Diode
LEP Large Electron Positron
LHC Large Hadron Collider
LHC-b LHC beauty - an experiment of the LHC
LINAC Linear Accelerator
LNLS Laborato´rio Nacional de Luz S´ıncrotron - Brazilian National Laboratory of
Synchrotron Light
LOCAL BEAM PERMIT A signal given by a Beam Interlock Controller that evaluates to TRUE
when all locally connected User Systems give permission for beam operation
M Theory A potential Theory of Everything showing that popular string theories could be
viewed as sub-sets of a single M Theory
Manchester Encoding A form of communications where each but that is encoded is represented by
at least one voltage level transition, Manchester encoding is used throughout the
Beam Interlock System for serial data connections
MASKING Allowing a certain predefined section of USER PERMIT signals to be ignored, or
masked, when the beam energy and intensity in the machine is considered as below
damage thresholds as indicated by the Safe Beam Flag
Matrix The key element of the Manager board, responsible for deriving
LOCAL BEAM PERMIT from the connected USER PERMIT signals
MAX3440E A ‘true fail-safe’ slew-rate limited fault-protected RS485 transceiver from MAXIM
MBIC Master Beam Interlock Controller
MDB Measurement Database
MeV Mega electron-Volt = 106 eV
MONITOR A serial communications channel that contains monitor data
MPS Machine Protection System
MTBF Mean Time Between Failures
NE12 A CERN standard cable used for control interconnects, with full copper sheild, having
12 wires in six twisted pairs each with an impedance of 90Ω
NRZ Non Return-to-Zero
NuMI Neutrinos at the Main Injector - A beamline facility at Fermilab which produces
neutrinos
OPB Optical Power Budget
Open-Loop A beam permit loop that does not have feedback from the final stage
PCB Printed Circuit Board
PEP Positron Electron Project - An accelerator at SLAC recently rebuilt as PEP II
PEP II Positron Electron Project II - An accelerator at SLAC
PIC Power Interlock Controllers
Glossary of Terms, Acronyms and Abbreviations 263
PIN Diode P-type intrinstic N-type diode
PLC Programmable Logic Controller
Post Mortem A process that is carried out following a Beam Abort, this involves reading data
from protection systems to ensure that the system functions were all carried out and
that the system safety was not compromised
PPC Power PC
PRBS Pseudo Random Bit Sequence
PS Proton Synchrotron
PSB Proton Synchrotron Booster
QPS Quench Protection System
R&D Research and Development
RF Radio Frequency
Ring Architecture One of the two heirarchies that can be implemented by the Beam Interlock
System. Ring architectures are used to protect the circular SPS and LHC accelerators
RS485 TIA/EIA 485 - A multi-drop differential signalling standard
RZ Return-to-Zero
SBDS SPS Beam Dumping System
SBF Safe Beam Flag
Simultaneous User System Any User System that interlocks both LHC beams at the same time
without differentiating between ring-1 for beam-1 and ring-2 for beam-2
Single Interface A User Interface (CIBUS) that allows a single interlock connection to be made
between User System and Beam Interlock System
SIS Software Interlock System
SLAC Stanford Linear Accelerator Center
SLC Stanford Linear Collider - An electron positron collider at SLAC
SLOW DETECT Circuits detecting the value of a frequency to a relatively high accuracy taking a
relatively long time
SMP Safe Machine Parameters project
SMPR Safe Machine Parameters Receiver
SNR Signal to Noise Ratio
SNS Spallation Neutron Source - An accelerator based neutron source built in Tennessee,
USA
Software Interlock An interlock signal that is present in ever Manager board, if this enabled it
allows a command written to the Manager via the VME to be considered as a
fifteenth User System of that Manager board
SOFTWARE PERMIT A signal given to the matrices by the monitor FPGA of the Manager
board, it evaluates to TRUE when the monitor FPGA permits beam operation
SPS Super Proton-Synchrotron
SSC Start Super Cycle
Standard Model A theory describing fundamental forces and interactions
SUSY Super Symmetry
TEST A serial communications channel that contains test data
TeV Tera electron-Volt = 1012 eV
Tevatron A circular proton-antiproton Accelerator at Fermilab, Illinois, USA
264 Glossary of Terms, Acronyms and Abbreviations
TI2 Transfer line from the end of TT60 to the LHC beam-1 injection in IR2
TI8 Transfer line from the end of TT40 to the LHC beam-2 injection in IR8
TIA Trans-Impedance Amplifier
TMR Triple Mode Redundancy
TOE Theory of Everything
TPU Tertiary Permit Unit - A third set of detection circuits for the LHC Beam Dumping
System
Tree Architecture One of the two heirarchies that can be implemented by the Beam Interlock
System. Tree architectures are used to protect transfer lines, injection and extraction
regions of the CERN accelerator complex
TRISTAN - An electron-positron colliding beam facility at KEK, Japan
True ‘Fail-Safe’ This indicates that a circuit will fail to a known level when its operation is outside
of prefined tolerances, it differs from ‘fail-safe’ in that no biasing network is required
to fix a predefined level
TT40 Transfer line from SPS point 4 that leads to TT41 anf TI8
TT41 Transfer line from the end of TT40 to the CNGS target
TT60 Transfer line from SPS point 6 that leads to TI2
TVS Transient Voltage Suppressor diode
UPS Uninterruptible Power Supply
User Interface A device that is given to each User System providing an interface between the User
System electronics and the Beam Interlock System
User System A system which is connected as an input to a Beam Interlock System
USER PERMIT Signals given by User System that evaluate to TRUE when operation with beam
is allowed
VHDL VHSIC Hardware Description Language
VHSIC Very High Speed Integrated Circuit
VLHC Very Large Hadron Collider - A hypothetical future hadron collider with performance
significantly beyond the Large Hadron Collider
VME FAN Ventilation tray that is fitted to each VME chassis
VME PSU Power supply for the VME chassis
VMEbus (commonly VME) VERSAmodule Eurocard or Versa Module Europa - A computer
bus standardized by the IEC as ANSI/IEEE 1014-1987
WIC Warm Magnet Interlock Controllers
WIMP Weakly Interacting Massive Particle
www World Wide Web
Index







BEAM PERMIT, 48, 69
Activation Time, 45
Feedback, 43




Beam Abort Gap, 32
Beam Interlock Controller, 35, 64
Chassis, 36, 65
Power PC, 36, 65





















Generator, 34, 61, 71
Jitter, 55–57
Open-Loop, 34, 50








Beam Transfer Systems, 48
BIC, see Beam Interlock Controller











Current Loops, 39, 46, 101
Dependability, 26, 41, 109–112
Blind Failure, 109
Criticality Worksheet, 110
Failure Modes, 26, 29





Mean Time Between Failures, 26
Mission, 27



























Front End Software Architecture, 118,
134
General Machine Timing, 36, 38
Receiver, 65
GMT, see General Machine Timing
Independent Interlocking, see User
Systems
Injection Permit, 50
Injector Chain, see Accelerator Complex
JTAG, 75









LHC, see Large Hadron Collider
LOCAL BEAM PERMIT, 35, 36, 48, 64, 68,
76
Latching, 74
Machine Protection System, 1, 20
Architecture, 21
Beam Absorbers, 23
Beam Loss Monitor System, 22
Collimation, 23
Core Safety Structure, 28
Fast Magnet Current-Change Monitors,
23
Inherent Redundancy, 24
LHC Beam Dumping System, 1, 21
Powering Interlocks, 17, 23
Quench Protection System, 17
Magnet Quench, 1
Response Times, 25, 32
Safe Machine Parameters, 22
Magnetic Cycle, 13, 18













Manchester Encoding, 47, 88, 113
MASK, 73, 78, 84
Master Beam Interlock Controller, 45, 50, 71,
129, 136
MBIC, see Master Beam Interlock
Controller





Dark Matter, 5, 6
Fundamental Interactions, 3
Grand Unified Theory, 6







Theory of Everything, 6
Weakly Interacting Massive Particles, 5,
6
MONITOR, 70, 84, 91, 93, 95, 113
MPS, see Machine Protection System
NE12 Cable, 46, 65
Normal-Conducting Magnets, 9
OPB, see Optical Power Budget




PLC, see Programmable Logic
Controllers
Post Mortem, 41, 63, 120
Programmable Logic Controllers
in protection systems, 23
safety series, 28
Programmable Logic Devices, 28
Complex Programmable Logic Devices, 28,
37, 71




Ring Architecture, 31, 34, 44, 48
RS485, 37–38, 46, 93, 101, 113, 122
True Fail Safe, 37
Safe Machine Parameters, 22, 37
Beam Energy, 22
Beam Intensity, 22
Beam Presence Flag, 22
Machine Mode, 22
Receiver, 65
Safe Beam Flag, 22, 37, 65, 73








SBF, see Safe Machine Parameters
SIL, see Safety Integrity Levels
Simultaneous Interlocking, see User
Systems
SIS, see Software Interlocks
SMP, see Safe Machine Parameters








Powering Circuit Energy, 18
Superconducting Magnets, 9






Working Prototype, 133, 139
Tertiary Permit Unit, 63, 72
TEST, 70, 84, 91, 93, 95
Test & Monitor, 36, 84, 87
Display, 91
Display Driver, 87, 91
Serial Communications, 87, 90
Test Mode, 113, 115, 125
Tin Whiskers, 75
Transient Voltage Suppressors, 37
Tree Architecture, 31, 34, 44, 50




User Interface, 37, 39, 65, 93
CPLD, 93
DC Power Supply, 40




Power Supply, 98, 108







Typeset with LATEX2ε RBPOG [143] [144] [55] [145] [146] c© Benjamin TODD, 2006.
