The proposed design has the aim of reaching a very high level of reliability. We are talking about 99,999 % (defined now as the 5*9) of availability which would represent just 5 min/year of downtime. The system would be based on advanced telecommunication technologies (GBEthernet) and with several channels working at rates of 2 Gbit/s. This communication system will be used as a backbone for voice and data communication (IP services). As a communication media, fiber-optic cables (FO) will be used, each of them being multiplexed in different channels and wavelengths providing several dedicated transmission system to the various users (Controls, Safety...). A FO will be dedicated to the safety systems data transmission using also additionnal safety features (48V supply, redundancnt paths...) .
The communication system is divided in different sectors together with a common communication centre (CC) for all the sectors, where information is centralized. Every sector basically consists of six service points where equipment is connected, plus the CC. This service points are placed as follows: two LHC surface points, the respective LHC underground points and two more in the tunnel between the precedent ones. In such a way, just four fiber-optic cables are required. Furthermore, information travels in both directions (full duplex) so even if the FO is cut in one point, the service will be definitely assured for the whole sector. This concept provides dynamic redundancy at the communication media level. For the CSAM project if data are transmitted on both control and safety network, this means 4 transmission paths!
This proposal definitely seems very interesting for the CSAM project,
although some safety aspects have to be deeply studied:
- At the moment this proposal just covers the LHC machine and not the
Meyrin and Prevessin sites. A proposal for this extension will be presented
but this would definitely complicate the sector architecture design. Otherwise,
an alternative solution for the CSAM project will have to be studied.
- From the safety point of view, the use of FO as a communication media
is very adequate. Since there is no galvanic connections, inductive currents
won't be present. Furthermore, every service point works at 48 V being
supplied by a local power supply and, of course, a back-up battery. The
most vulnerable point seems to be the CC. An special design, in order to
avoid common modes of failure, is foreseen. Many interesting ideas where
proposed and this common mode problem (considering
fire, intrusion, electrical power cut) will be investigated further by
Pal Anderssen.
- Just safety-related systems will be connected to the safety channels:
Acces control, CSAM.. So, one has to be sure that no perturbations will
occur between them. A procedure and a validation
board should be set-up between the users of this safety systems,
to ensure that a new user, or a modification of an existing system will
not affect the performance and reliability of the safety channel. Network
specialists shall be involved to test the safety channel.
- If a channel is not working, this won't compromise the performance
of the rest of the channels. Furthermore, there will be 2 control channels
and 2 safety channels assuring the full availability of the system.
- The constructor of this communication infrastructure would provide
20 years support for equipment
- In order to use this proposed system, it would be necessary to build
a OF ring to send the information from the PCR to the SCR and TCR.
If this proposal is accepted, the communication infrastructure will be ready at the end of 2002. Some equipment test could started with the first installation of the equipment at the beginning of 2000.
Action items:
People interested on this presentation is required to send a candidature
to Luigi Scibile.
Action items:
- The prototype is ready to interface with other systems (detection,
DB....) but the Interface Control Documents need to be provided (Silvia/Carlos).
Action item:
- A reliability and impact study of this two solutions is urgently
required to definitely decide the best choice.
Many comments were made to the last point. This solution seems to be the easyest and simplest one but this would represent double cost of maintenance, configuration, updating programs and DB...etc.
- Pierre explained the relation between availability and security (defined by Safety Integrity levels) currently applicable to industrial PLC. For our case, we are looking for high availability and low security level (here the security is defined as guaranteed output status of the PLC in case of failure). We should not forget about other industrial PLC and fiedlbuses like Scheneider and WorldFIP that seems to suit very well this relation. Regarding the annuncation equipment there some very interesting system (HP, SUN etc...) working at high availability that should be studied more in detail.
Action item:
- It is necessary to include in CSAM prototype a test of this technologies.