Introduction
The LPI pre-injector is the first machine in a series chain of four accelerators that provides e*+ beams for the Large Electron Positron Collider(LEP) at the European Laboratory for Particle Physics (CERN) near Geneva. The klystron-modulators in the LPI preinjector operate at lOOHz rate and each provides up to 35 MW of peak RF power for the acceleration of the electron beams. Over a period of time, and with continuous system usage, components, active elements and sub-systems in the klystron-modulators start to age and have caused the overall reliability and availability of the process to degrade. The reliability of the total process and the availability of each accelerator in this series production chain is dependent on the reliability of every individual subsystem in each of the four accelerators. The overall process reliability R, is given by an iterative product rule that uses the reliability of all elements Ri in this series chain, regardless of the particular failure distributions of components used.
The reliability iterative product rule is given by n The greater the number of series elements in the chain, the lower will be the process reliability. More importantly, the overall reliability of the total system becomes lower than that of the weakest system or sub-system.
The interlock relay protection sub-systems used in each of the LPI klystron-modulators, and part of the chain, were found to be increasingly contributing to the downtime and unreliability of the lepton production process. This paper describes the reliability problem and the design of a new replacement interlock protection system. The new design uses a micro-processor that has greatly improved modulator reliability and has added extra functionality to the protection system. internal contact problems was difficult.
To overcome these difficulties a more reliable system has been designed using commercial solid state G64 micro-processor and opto-coupled interface board technology to replace the relay logic system. The new scheme, apart from improving modulator reliability can store up to eight complete fault sequences in local memory, in a fully time ordered presentation. Within each sequence the fir!;t eight faulty interlocks are memorised together with a date and time tag to give maximum fault finding information.
Micro-processor interlock system
The design requirements for the new interlock protection system were:
A fail-safe design approach High reliability An ordered fault memorisation Interfacing to control system and Oracle database Conforming to C E W personnel security requirements Hardware design A stand-alone protection system [l] has been developed that uses the MC6809, 8 bit micro-processor within a G-64 data bus crate. This system handles the 120 input signals via purpose-designed 32-way input buffer cards. Each input interlock signal generates three output signals. These are used for the following purposes :
1)
A direct interlock connection to the 32 way Complete electrical compatibility with old system input card for modulator protection
2)
An opto-isolated output for the existing CAMAC data acquisition system 3) A TTL level output for on-board testing purposes
The new micro-processor interlock protection system is shown in Figure 1 . 
2x60 INTERLOCKS

Figure 1
Micro-processor controlled interlock hardware scheme
The 32 way i n p u t c a r d h a n d l e s t h e i n t e r l o c k s i n groups o f e i g h t and any one o f these g r o u p s can g e n e r a t e a hardware i n t e r r u p t f o r t h e p r o c e s s o r . 
The f a i l e d i n t e r l o c k s a r e t h e n c o l l e c t e d i n groups o f e i g h t by t h e program and s t o r e d i n a l o c a l memory. Any i n t e r r u p t i s p r o c e s s e d immediately by a n i n t e r r u p t s e r v i c e r o u t i n e (ISR), which changes t h e o u t p u t s t a t u s
u t p u t l e v e l s t h a t r e a c t d i r e c t l y w i t h t h e modulators power c i r c u i t s and c o n t r o l i t s s t a t u s . A f i f t h o u t p u t l e v e l i s u s e d a s a watchdog and m o n i t o r s t h e f u n c t i o n i n g of t h e p r o c e s s o r v i a a s t a t u s l i n e t h a t i s t o g g l e d by t h e s o f t w a r e . I f t h i s l i n e s t o p s t o g g l i n g , t h e program h a s s t o p p e d r u n n i n g and t h e p r o t e c t i o n s y s t e m i s no l o n g e r working. Under t h e s e c o n d i t i o n s t h e modulator i s immediately p u t t o t h e OFF s t a t e . The machine a c c e s s c o n t r o l and HV p r o t e c t i o n d o o r s a l s o p r o v i d e i n t e r l o c k c o n t a c t s t h a t a r e connected i n series w i t h t h e o u t p u t c o n t r o l l e v e l s t o give a d d i t i o n a l p e r s o n n e l s e c u r i t y . EPROM s o f t w a r e development The main i n t e r l o c k management program i s a l o o p t h a t i n c l u d e s t h e a c q u i s i t i o n a n d t r e a t m e n t of t h e 120 i n p u t s i g n a l s and h a s been w r i t t e n i n P a s c a l . T h e f l o w diagram o f t h i s program i s g i v e n i n F i g u r e 2 . The program ' d i s p l a y ' v a r i a b l e i s used t o make s u r e t h a t t h e d i s p l a y s c r e e n i n f o r m a t i o n is w r i t t e n w i t h o u t i n t e r r u p t i o n from any o t h e r keyboard a c t i o n t h a t o c c u r s d u r i n g t h i s o p e r a t i o n . The i n i t i a l i s a t i o n , s t a r t -u p and i n t e r r u p t r o u t i n e s have been w r i t t e n i n
a n o c c u r . One t h a t i s g e n e r a t e d by a f a u l t y i n t e r l o c k and a second by a key on t h e u n i t s d i s p l a y p a n e l . However, t h e i n t e r l o c k g e n e r a t e d i n t e r r u p t s have p r i o r i t y o v e r any d i s p l a y r e q u e s t s .
T h e r e s p o n s e t i m e t o a n i n t e r l o c k g e n e r a t e d i n t e r r u p t i s shown i n F i g u r e 3 .
The d e l a y between t h e s w i t c h i n g o f t h e i n p u t i n t e r l o c k and t h e r e s p o n s e of t h e NOR g a t e i s c a u s e d by t h e o p t o -c o u p l e r . The o v e r a l l r e s p o n s e t i m e between t h e change of i n p u t a n d t h e E Q A l i n e on t h e G-64 bus is a b o u t 1 4 pS.
-
The four c h a n n e l s r e p r e s e n t t h e f o l l o w i n g s i g n a l s :
CH1 (A) : I n p u t i n t e r l o c k s i g n a l . CH2 (B):
Output o f a g r o u p o f e i g h t i n t e r l o c k s
I n t e r r u p t f l a g
G 6 4 i n t e r r u p t request l i n e (m). When a f a u l t o c c u r s t h e i n t e r r u p t service r o u t i n e i s e x e c u t e d and any s u b s e q u e n t new i n t e r r u p t s a r e disabled w h i l
s t t h e i n p u t g r o u p t h a t c a u s e d t h e f i r s t i n t e r r u p t i s traced by means of a p o l l i n g r o u t i n e . The o u t p u t s t a t u s of t h e p r o t e c t i o n s y s t e m is switched t o t h e a s s i g n e d o p e r a t i n g level a n d so p r o t e c t i n g t h e modulator. F i n a l l y t h e i n t e r r u p t f l a g i s c l e a r e d and t h e f a u l t y i n t e r l o c k i s s t o r e d a l o n g w i t h t h e d a t e and t i m e t a g s .
T h e d i s p l a y screen on each i n t e r l o c k unit a l l o w s t h e f o l l o w i n g d i s p l a y modes t o be selected :
Mode 1 C h e c k s s y s t e m memory and i s a u t o m a t i c a l l y a c t i v a t e d when p u l s i n g .
Mode 2 D i s p l a y s c u r r e n t s t a t u s o f i n t e r l o c k s .
Mode 3 Changes t h e d a t e and t i m e .
Mode 4 D i s p l a y s i n f o r m a t i o n and e r r o r messages. The new i n t e r l o c k system
Each o f t h e f o u r d i s p l a y modes have t h e i r own s o f t w a r e driver module c o n t a i n i n g s p e c i a l f u n c t i o n s and p r o c e d u r e s .
DSC (D~ILWMDK) DSC (DL~LVMDX)
The new i n t e r l o c k system d e s i g n [21 u s e s three d i f f e r e n t l a y e r s of hardware and s o f t w a r e .
T h i s e n a b l e s t h e f a u l t d a t a t o be a v a i l a b l e a t t h e three b a s i c system l e v e l s which a r e :
1)
Stand-alone modulator i n t e r l o c k p r o t e c t i o n level 2 )
Front-end p r o c e s s o r (Device Stub C o n t r o l l e r ) level
)
O p e r a t i o n a l u s e r level T h e system hardware scheme based on these three levels i s shown i n F i g u r e 4 .
I n t e r l o c k p r o t e c t i o n l e v e l A t t h e i n t e r l o c k hardware level each G-64 i n t e r l o c k u n i t h a s a Remote Terminal I n t e r f a c e ( R T I ) c a r d plugged i n t o i t s d a t a bus. The multi-drop MIL-1553-B f i e l d bus [ 3 ] c o n n e c t s t h i s c a r d up t o t h e a c c e l e r a t o r c o n t r o l s system. T h i s e n a b l e s t h e asynchronous exchange of d a t a i n response t o commands from t h e BUS C o n t r o l l e r (BC) i n t h e f r o n t end p r o c e s s o r ( D S C ) . T h e two b u f f e r memories on t h e R T I c a r d a r e used as Receive and Transmit FIFO b u f f e r s t a c k s t h a t h o l d c o n t r o l v a l u e s , and t h e G-64 a c q u i s i t i o n d a t a . A C o n t r o l and S t a t u s RegistertCSR) b i t (TB) i n d i c a t e s t o t h e BC t h a t i n t e r l o c k d a t a h a s been l o a d e d i n t o the
t r a n s m i t b u f f e r memory. The TB b i t i s o n l y reset a f t e r t h e t r a n s m i s s i o n i s complete. A d a t a t r a n s m i s s i o n r a t e of 1 Mbits/s was selected f o r t h e M I L c a b l e c o n n e c t i o n l e n g t h u s e d i n t h e system. The i n t e r l o c k p r o t e c t i o n micro-processor h a s a set o f firmware assembler i n s t r u c t i o n s t h a t a r e used t o l o a d t h e f a u l t y i n t e r l o c k d a t a i n t o t h e t r a n s m i t b u f f e r on t h e R T I card. T h i s EPROM program i s triggered i n t o a c t i o n by a hardware i n t e r r u p t on t h e o c c u r r e n c e of t h e f i r s t f a u l t y i n t e r l o c k . An i n t e r n a l d e l a y e n s u r e s the capture and storage of up to a maximum of seven subsequent c a s c a d i n g i n t e r l o c k s b e f o r e t h e U T I t r a n s m i t b u f f e r i s loaded. The worst case a c q u i s i t i o n t i m e measured f o r a complete sequence o f c a s c a d i n g i n t e r l o c k s was 116 m s . However, t h e measured average p r o t e c t i o n response t i m e t o p u t t h e modulator t o a non-pulsing s t a t e , a f t e r a f a u l t e v e n t o c c u r s , i s about 66 m s a s shown i n F i g u r e 5.
18-May-93 13:2l:48
ArMl
B:M2
C H 1 ( A ) :
T h e f a u l t y i n t e r l o c k .
The change o f o u t p u t s t a t e .
I
A t 66.10ms
Protection response time of modulator Figure 5 Front-end p r o c e s s o r level A t t h e DSC level a r e a l -t i m e s o f t w a r e t a s k h a s been w r i t t e n i n C language and r u n s under t h e c o n t r o l o f t h e Lynx (UNIX l i k e ) o p e r a t i n g system. The R T I b u f f e r c a r d s are scanned e v e r y 20 seconds by t h i s t a s k t o check f o r any new d a t a . A r e p r e s e n t a t i o n of t h e r e a lt i m e t a s k s o f t w a r e a l g o r i t h m i s shown i n F i g u r e 6.
I f new d a t a is a v a i l a b l e from t h e R T I c a r d it is
taken, t h e CSR b i t i s c l e a r e d and t h e d a t a r e f o r m a t t e d and s t o r e d . T h e r e f o r m a t t i n g p r o c e s s c o n s i s t s of removing any padding characters and decimal p o i n t s from t h e f i x e d l e n g t h 32 b y t e message. 
Faulty interlock display
The p a r t c o n c e r n i n g h i s t o r i c a l f a u l t d a t a s t o r a g e i s p r e s e n t l y b e i n g developed and u s e s a r e a l -t i m e t a s k t h a t must be s c h e d u l e d t o run d a i l y . T h i s c o l l e c t o r p r o c e s s program w i l l e x t r a c t t h e f a u l t d a t a from t h e TBL d a t a t a b l e s o f e a c h modulator, and reformat it b e f o r e s e n d i n g it t o t h e O r a c l e d a t a b a s e . The d i r e c t d i s p l a y windows program c a n t h e n a c c e s s t h e i n f o r m a t i o n a s r e q u i r e d . 
I n a d d i t i o n t o t h i s a s t a t i s t i c a l a n a l y s i s program
s-ry
The new i n t e r l o c k system h a s been i n s t a l l e d i n three o f t h e CERN LPI modulator systems, s i n c e November 1993. The o t h e r s i x modulators w i l l have t h e new i n t e r l o c k system i n s t a l l e d d u r i n g t h e c o u r s e of 1994.
T h e new equipment h a s performed r e l i a b l y o v e r t h i s p e r i o d w i t h a n o t i c e a b l e r e d u c t i o n of downtime due t o random f a u l t s i n t h o s e modulators t h a t have been equipped. T h e r e h a s a l s o been a n o t i c e a b l e d e c r e a s e i n t h e f a u l t d i a g n o s i s t i m e s i n c e t h e l o c a l memories o f e a c h i n t e r l o c k u n i t h o l d t i m e o r d e r e d h i s t o r i c a l d a t a on t h e l a s t eight f a u l t sequences t h a t have o c c u r r e d . The i n t e r l o c k f a u l t d i s p l a y program a l l o w s t h i s i n f o r m a t i o n t o be viewed from any PC t e r m i n a l . T h i s f a u l t memorisation and d i s p l a y f u n c t i o n a l l o w s a f a s t e r maintenance r e s p o n s e t i m e t h a n i n t h e p r e v i o u s r e l a y system and improves t h e o v e r a l l r e l i a b i l i t y and a v a i l a b i l i t y o f t h e LEP p r o c e s s .
