1.0 Introduction
1.1 Concerns
in the application of this software:
·Software has “stuck” value which does not reflect true status of machine. Other software uses this value.
·Software has “stuck” value which does not reflect true status of machine. Other software such as up/downtime logger record erroneous value.Value is reported to DOE as part of “performance” metric.
·Software error causes erroneous value of PLC mode or status to be interpreted.Other program uses bad data.Results in machine damage or downtime.
Most, if not all of these concerns can be addressed by the use of reasonable caution on the design of the software.
1.2 Goals
2.0 Definitions
LRC - Longitudinal Redundancy Check. Method of calculating checksum value on byte-wise encoded data.
Modbus - Communications protocol for use with Modicon PLCs.Based on RS/232.
Modbus Plus - Proprietary high speed communications protocol for Modicon PLCs,based on token ring network.
PLC - Programmable Logic Controller. Highly specialized computer designed for industrial control.
RTU - Remote Terminal Unit.Method of data encoding.Allows higher data transfer rate than ASCII encoded messages.
3.0 Requirements
3.1 General
Requirements
Modbus Parameters:RTU framing using CRC
The
default modbus RS232 parameters are set by the dip switches located on
the
PLC (ref.
3)
.
RS232 Parameters:8 data bits, even parity, 1 stop bit.
Default baud rate 19,200 b/sec.
Baud rate selectable between 300 and 19.2 kBuad.
Baud rate change may require reboot of IOC.
Update Rate:The update rate for all PLCs shall be less than 10 seconds.Each PLC shall be addressed at a rate of no more than 3 times per second.
Old data:
If the PLC data is more than 1 minute old then the data shall be declared invalid.
Fail-Safe
The software developed to this document will be fail safe in that any single error, including hardware fault or failure, will not cause an erroneous beam power reading.An alarm will be generated for any detected
hardware or software fault.
Reboot:
The PLC software shall be the last application started during a reboot or initialization of an IOC.
No reboot, reset, or IOC function shall result in an erroneous beam mode value.
Startup:
The software can take up to 1 minute to initialize, query the available
PLCs, and start updating the beam status of each PLC.
Initialization:
All system and local variables shall be initialized to the safe state on start up.This includes any clocks or timers.The design document generated as part of this application should define “safe”, “unsafe”, or “don’t care” attribute for each record.
The EPICS software and PLC shall not halt or crash when there is a disconnection of the communication cables between the IOC and PLC.The EPICS software shall be able to automatically recover to normal operation from this condition.
3.2 Specific
Requirements
1. Function Code 03:Read Holding Register.
Each PLC has a status register at location 41000 dedicated for reading by EPICS.The EPICS software must address ONLY location 41000 and higher.An independent address and range check should be made before the read command is sent to the PLC.The operation shall be “Read Only” (Modbus Op code 03).
The registers to be read are given in appendix A.Each register is 16 bits.Data may take the following forms:
Default:16 bit signed integer
Note that the default is also the format for storing discrete data
Other forms:
24-bit IEEE floating point"F"
16-bit Unsigned "U"
32-bit (2x16) unsigned integer "UL"
32-bit (2x16) signed integer "L"
32-bit (2x16) signed "Long-Rational"(L-R) see below
Some values of "long" integers are actually scaled rational numbers, converted from IEEE floating point in the PLC.To properly display the decimal and mantissa portions of the signal the signal should be divided by a number 10^x.
For example,If the PLC used the number PI = 3.1459265, the PLC would store the value as a "long"
Using two contiguous registers
Example: Integer representation
of Pi
|
Register
|
41101
|
41102
|
|
Value (data)
|
31415
|
09265
|
To properly display this value we would have
313159265 / 10^9 = 3.14159265
Signals:
Status I/O
|
|
|
|
|
|
|
|
|
|
Analog Input raw data
|
20
|
Default
|
0-4095
|
N/A
|
|
N
|
|
|
Arc Current Scaled Data
|
15
|
Default
|
0-400
|
Amps
|
|
Y
|
|
|
Arc Current Scaling Factor
|
45
|
Default
|
|
|
|
Y
|
|
|
Beam Current Scaled Data
|
12
|
Default
|
|
uA
|
|
Y
|
Y
|
|
Beam Current Scaling
Factor
|
24
|
Default
|
|
|
|
Y
|
|
|
Tests Status
|
1
|
Discrete reg.
|
|
|
Breakdown 16 bit word
|
N
|
|
|
Beam Energy
|
6
|
Default
|
0-10
|
GeV
|
|
Y
|
Y
|
|
Beam Power
|
6
|
Default
|
0-4095
|
kW
|
|
Y
|
Y
|
|
Warn
|
6
|
|
|
|
|
Y
|
Log event
|
|
Alarm
|
6
|
Discrete
|
|
|
|
Y
|
Log event
|
|
Time to Alarm
|
6
|
Default
|
0-4095
|
s
|
Countdown timer
|
Y
|
|
|
Trip Counter
|
6
|
Default
|
|
|
Number representing number
of trips since last reset
|
N
|
|
|
Warn Counter
|
6
|
Default.
|
|
|
Number representing number
of warns since last reset
|
N
|
|
|
PLC Status
|
2
|
Default
|
|
|
Bad Status sets EPICS
flag that data may be bad
|
Y
|
|
The following signals are used for error checking, exception handling, or initialization.It is not required to update this data at the 10 second update rate.Normally any communication errors are initially detected by the LRC or CRC check when performing the register read (function code 03).
2 . Function Code 08: Diagnostics:
This code is used along with sub codes to query the status of the PLC.
Function Code 08:Subcode 00Return
Query Data
This code will return the PLC address and an echo of 2 bytes of data that the EPICS program sends as part of the query message.This may be used as a quick check of the integrity of communications and online/offline status of PLCs.
Function Code 08:Subcode 02Return
Diagnostic Register
The function may be used as a diagnostic as to the health of the PLC addressed.Normally the data returned should be 00h. Anything other than 00h represents a PLC error.
3. Function Code 17:Report Slave ID:
This is used to check the address and status of an individual PLC.It is used during initialization of the application program or for exception handling or diagnostics.
Byte 2, specifically contains the “run” statusof the PLC and may be used to determine if the PLC is
on or off line.
PLC Addresses:
AreaSystem
1System 2
BSY45
Continuous Error checks:
All errors shall be uniquely identifiable to assist in troubleshooting problems with the system or application.If any of the following errors are detected the software shall declare the data invalid.
1.PLC Addressed = PLC received
2.
3.Address indexing:Shall ensure that Address read not equal to last address unless number of PLCs on line £ 1.
4.The software shall automatically detect if a predefined PLC is online or off-line.If the PLC is off line the software may skip that PLC for up to 1 minute. The software shall detect a PLC that is returned on line within one minute of the PLC returning to the “run” mode.
5.Retries:If communication is lost, the software will retry to establish communications at least 3 times but no more than 5 times.After that the software will generate a communications error for that PLC, place the PLC off the active scan list and will try to reestablish communications per 6.
6.LRC or CRC check on data received by EPICS - Each message fieldfrom the PLC is accompanied by an LRC (Longitudinal Redundancy Check) or CRC (cyclic Redundancy Check).The EPICS software shall support LRC or CRC checking of received data.If the check is bad then the data shall be ignored.The software will then retry the data transfer per 7, above.
7.Exception Response Handling - If the PLC addressed cannot process the data requested by the EPICS software, the PLC will return an exception code containing a modified function code and an exception code.The EPICS software will consider an exception response a communication error and report the exception code.It is imperative that the EPICS software does not mistake an exception response as beam mode register data.
8.Parity Check - each character of the transmitted data will use an even parity.If the parity check fails the EPICS software will ignore the entire message for the addressed PLC.
Communications Error Handling:
A mismatch in any of the RS232 parameters (baud, parity, LRC,…etc.) between the EPICS system and the BEL PLC systems shall not result in an erroneous data or associating the data of one PLC with the address of another.No communication error shall result in an erroneous beam power value.
Overwrites:
Precaution should be observed in the design of the software to ensure that the data passed to other applications cannot be overwritten by other applications.Due care should be given in the design of any application using the beam power data to perform redundant checks of the beam mode status value. This requirement should be reflected in the software documentation for this application.
Interrupt Handling:
Interrupts on the EPICS IOC shall not affect the update rate of the BEL status readbacks.
EPICS records:
EPICS records shall be continuously updated with the actual latest value of the PLC readback.Records shall not be “update on change” only.
All records for this application shall be “read only” by other applications, including “Spy” or similar
utility functions.
The EPICS system shall maintain at least the following records for each PLC:
PLC Address - Decimal address of PLC
Current PLC Mode - Decimal or string value of current PLC mode
Last Mode - Mode of PLC in scan n-1.
PLC Health - 1 = Health good, 0 = Health bad
PLC Mode Status - 0 = valid mode,> 0 = error code, see below:
Bad/non existent address
PLC not responding
Bad State
PLC health status
System Wide records:
The EPICS system shall maintain the following system wide records:
(The numbers given below are for reference purposes only.The application programmer may use descriptive variable names instead of a number.)
Alarms:
In addition to the other alarms identified, the EPICS software should maintain the following alarms
System 1 not equal to System 2 (within 5%)
Communications error.
Data Logging:
A data log event file shall be automatically updated anytime an event occurs
Individual files shall be maintained for a 24 hour period starting at or near 00:00
File format
MM/dd/yyhh:mm:ssLocationParameter DataEventAction
Example:
04/09/9903:33:00System 1Operations Envelope 1060 kWWarnCurrent reduced
04/09/9903:33:20System 1Operations Envelope 1060 kWFaultBeam Shutdown
04/09/99 03:36:00System 1Operator Reset
04/09/9917:24:15System 2Self TestPassed
Simulation Mode:
Provision can be made to implement a simulation mode where the PLC input data is taken from a user input vs. the actual data from the PLCs.This mode is intended to be used as a tool for certification of the software as well as a diagnostic for troubleshooting problems with the system and it’s interfaces.Use of the simulation mode will result in the electron guns being shut off.
Simulation mode is entered by the operator entering a five character password code.At such time, the input data for the are taken from user inputs either from a file or directly from a user screen.Access to the user screen and the access code shall be strictly controlled.At this time only the Safety System Group Leader or the Deputy Safety System Group Leader shall be able to enable the simulation mode.
All of the following conditions SHALL be true in order for the software to be in simulation mode:
[
(
(The FSD master node is fully Unmasked - mask value = 0000h
AND
The FSD master node is faulted.
)
OR
(
The gun high voltage is OFF = 0V
AND
The FSD Master node is faulted
)
)
AND
The injector BCM read back < 1 uA.
AND
Simulation Mode Code = {value}
AND
Timer > {value}
]
If any of the above conditions are not true then the simulation mode shall not be instantiated.
This logic shall be continuously checked while in simulation mode.
The simulation mode user screen shall include a visible indicator of the simulation mode status.
Once the user enters the password code there shall be a count down timer which will automatically revert back to the operational mode (out of sim mode) in 15 minutes.The timer should start at avalue of
16 minutes and count down to zero. The function should exit the simulation function when the timer reaches 1 minute but the timer should continue down to zero.This overlap is to allow for errors that could be introduced by having a comparisonvalue at zero.
When the timer function is started the software should also check the initial value of the timer to ensure that it equals 16 minutes.If the value does not equal 16 minutes then the software should alert the operator and exit the simulation mode.
The default mode shall be the operational mode.Under no circumstances shall the software be able to automatically switch to the simulation mode.
The default value for the timer shall be zero.
4.0Quality Assurance:
All software applications developed for this requirement shall be bench tested before installation in the field.Preliminary acceptance of the software function shall be by the Safety Systems Group Leader or Designee.
All software developed for this requirement shall
undergo a design review by a computer scientist other than the developer.Design
review comments and correction plans shall be documented.
Development of this software application should follow accepted good practice for medium to high
integrity software (mission/safety critical) applications.
This software shall be under PSS configuration control as a level 1 device (2).Any changes to the
released software shall require written approval by the acting Safety Systems Group Leader prior to any changes.
Any changes to this software application, the EPICS version, RTOS version, or the IOC CPU the software runs on after final acceptance shall require reverificaiton of the functionality of the application.
The software developed to this specification shall be documented using good practice for software documentation.All documentation should be easily readable by anyone familiar with C language programming and/or EPICS software.
Documentation should include information and/or cautions for the person’s wishing to use the data generated by this application.
All programs, applications, and documentation developed under this requirements document shall follow CEBAF version control procedures.
This software application shall be “owned” by the
Controls Software Group.
5.0Security:
All files and data generated from this software application shall be maintained under strict configuration
control.Access to program files, boot scripts, and other information used in the operation of the program shall be strictly maintained.Accessto such files and scripts shall be under the administration of the deputy group leader for software controls.
It shall not be possible to alter this application or comment it out of the IOC boot script with out the explicit approval of the Deputy Group Leader for Software Controls and the Safety Systems Group Leader, or their respective designee.Alteration of this program includes alteration to any function or ancillary program used by this application.
It shall not be possible to change or alter the EPICS records generated by this program.The only exception to this is if a “simulation mode” (see section on …) is implemented.
6.0References:
1.Modicon Modbus Protocol Reference Guide, P1-MBUS-300 Rev. G, Nov. 1994
2.BEl System Description
Revision History:
Revision - Draft
Appendix 1. Validation Checklist
Communications Error Handling
|
Reference
|
Test
|
Description
|
Expected Response
|
|
|
RS/232 Errors
|
|
|
|
|
Port Disconnected at PLC
|
RS232 cable is unplugged at PLC end.
|
Software detects loss of communication. mode
read = invalid
|
|
|
Port Reconnected at PLC
|
RS232 cable is plugged
back in at PLC end.
|
Software detects PLC back on line.Restores
communication =
1 min
|
|
|
Port Disconnected at IOC
|
RS232 cable is unplugged at IOC end.
|
Software detects loss of communication. mode
read = invalid
|
|
|
Port Reconnected at IOC
|
RS232 cable is plugged
back in at IOC end.
|
Software detects PLC back on line.Restores
communication =
1 min.
|
|
|
PLC Baud>IOC
baud
|
PLC Baud rate set to
> IOC baud rate.Communication
attempted.
|
IOC detects error.Beam
mode read = invalid.
|
|
|
PLC Baud <IOC
baud
|
PLC Baud rate set to < IOC baud rate.Communication
attempted.
|
IOC detects error.Beam
mode read = invalid.
|
|
|
PLC set to no parity
|
PLC comm.parameters
set for no parity.
|
IOC detects parity error.
Beam mode read = invalid.
|
|
|
IOC set to no parity
|
IOC comm. Parameters
set for no parity.
|
PLC detects parity error.Set
comm. error status bit.
|
|
|
PLC set to no stop bit
|
PLC comm. Parameters set for no stop bit.
|
IOC detects comm. error.
Beam mode read = invalid.
|
|
|
IOC set to no stop bit
|
IOC comm. Parameters set for no stop bit.
|
IOC detects comm. error.
Beam mode read = invalid
|
|
|
Initialization Tests
|
|
|
|
|
PLC Stopped
|
PLC logic stopped.
|
IOC detects PLC stopped.Beam
mode = invalid.
|
|
Reference
|
Test
|
Description
|
Expected Response
|
|
|
PLC Restart
|
PLC logic restarted.
|
IOC detects PLC back on line.Normal
comm. restored.
|
|
|
PLC set to ASCII mode
|
PLC comm parameters set for ASCII Mode.
IOC in RTU mode.
|
IOC detects comm. error
Beam mode = invalid..
|
|
|
PLC Status error
|
PLC status error generated.Word
> 0.
|
IOC detects status error.
Beam mode = invalid.
|
|
|
PLC address not equal to EPICS scan list address
|
PLC modbus address set to value not equal to
address in IOC scan list.
|
PLC ignores IOC.IOC
detects PLC off line.
|
|
|
|
|
|
|
|
PLC address in return message not equal to PLC
address
|
PLC status work address
set to different value than
RS232 address.
|
IOC detects error.Beam
mode read = invalid.
|
Recommended Test Set up:
