BELS to EPICS 
Table of Contents:

1.0 Introduction

This specification gives the requirements for interfacing the Beam envelope Limit System (BELS) programmable logic controller network to the EPICS control system.It is desirable to have information of the BEL status available to the EPICS system for both as a first line of action as well as a interface for information display and self test functions.
The BEL PLC system is composed of 2 Modicon Quantum series PLCs. There are 2 independent branches, labeled 1 and 2.Each PLC has an RS232 connection, which uses the Modbus protocol (1).
This software is for the purpose of reading status data from the BEL PLCs.Due to the fact that this software can directly cause machine downtime, the application programmer must ensure that the data provided is current and reflects the true status of the BEL system to the greatest extent possible

1.1 Concerns in the application of this software:

Explicit concerns are:
·Software causes PLC to over run watchdog timeout period (250 ms).
·Software effects logic solving of PLCs.This is highly unlikely but could potentially be a means of a common cause failure of the redundant PSS systems.Simultaneous failure of both systems could result in exceeding the machine beam power safety envelope.
·Software overwrites PLC status registers which are used to calculate beam power.

·Software has “stuck” value which does not reflect true status of machine. Other software uses this value.

·Software has “stuck” value which does not reflect true status of machine. Other software such as up/downtime logger record erroneous value.Value is reported to DOE as part of “performance” metric.

·Software error causes erroneous value of PLC mode or status to be interpreted.Other program uses bad data.Results in machine damage or downtime.

Most, if not all of these concerns can be addressed by the use of reasonable caution on the design of the software.

1.2 Goals

It is the goal of this software application to enable the EPICS system to read status data from BEL system.The software design must have the following objectives in mind:
·The software communications should be robust.No software related error should result in a malfunction of the BEL system or the communication interface between the two systems
·The software logic andoutput should be fail-safe.No software related error should result in erroneous data being transferred to another application.
·The software should be easily testable for function and integrity
·The software should be robust against malicious or incidental interference of the function or data.

2.0 Definitions

CRC - Cyclic Redundancy Check.Method of calculating checksum value on binaryencoded data.
EPICS - Experimental Physics and Industrial Control System.Software used to implement real time control of inputs and outputs.Runs on Vx Works real time operating system.
FSD - Fast shutdown system. System of equipment interlocks interfaced to the electron gun.Loss of 5 MHz
permissive signal will result in beam shutdown.System based on FSD cards which have electrical and fiberoptic inputs.Inputs may be selectively masked through the control system.
IOC - Input/Output ControllerComputer on which EPICS system runs.Typically motorola 64xxx processor.

LRC - Longitudinal Redundancy Check. Method of calculating checksum value on byte-wise encoded data.

Modbus - Communications protocol for use with Modicon PLCs.Based on RS/232.

Modbus Plus - Proprietary high speed communications protocol for Modicon PLCs,based on token ring network.

PLC - Programmable Logic Controller. Highly specialized computer designed for industrial control.

RTU - Remote Terminal Unit.Method of data encoding.Allows higher data transfer rate than ASCII encoded messages.

3.0 Requirements

3.1 General Requirements

The interface shall be read only from the PLC system to the EPICS system.
Ports:Two separate R/S-232 ports shall be used, one for BEL system 1 and one for BEL system 2.
Protocol:The EPICS system shall logically connect to the PLC s using modbus protocol (ref. 1).

Modbus Parameters:RTU framing using CRC

The default modbus RS232 parameters are set by the dip switches located on the 

PLC (ref. 3)

.

RS232 Parameters:8 data bits, even parity, 1 stop bit.

Default baud rate 19,200 b/sec.

Baud rate selectable between 300 and 19.2 kBuad.

Baud rate change may require reboot of IOC.

Update Rate:The update rate for all PLCs shall be less than 10 seconds.Each PLC shall be addressed at a rate of no more than 3 times per second.

Old data:

If the PLC data is more than 1 minute old then the data shall be declared invalid.

Fail-Safe

The software developed to this document will be fail safe in that any single error, including hardware fault or failure, will not cause an erroneous beam power reading.An alarm will be generated for any detected

hardware or software fault.

Reboot:

The PLC software shall be the last application started during a reboot or initialization of an IOC.

No reboot, reset, or IOC function shall result in an erroneous beam mode value.

Startup:
The software can take up to 1 minute to initialize, query the available PLCs, and start updating the beam status of each PLC.

Initialization:

All system and local variables shall be initialized to the safe state on start up.This includes any clocks or timers.The design document generated as part of this application should define “safe”, “unsafe”, or “don’t care” attribute for each record.

The EPICS software and PLC shall not halt or crash when there is a disconnection of the communication cables between the IOC and PLC.The EPICS software shall be able to automatically recover to normal operation from this condition.

3.2 Specific Requirements

Data to be read from the PLC:
Communication with the PLCs is done with predefined communication function codes as defined in ref. 1.
The data request message sent from the EPICS software to the PLC shall include LRC or CRC checks. (example given in ref 1).The response from the PLC will include LRC or CRC checks.The message received from the PLC may also contain an exception response to the function or data query.The EPICS software shall be able to process exception responses ( see “Continuous error Checks - #9.)
Three function codes will be supported by this application:

1. Function Code 03:Read Holding Register.

Each PLC has a status register at location 41000 dedicated for reading by EPICS.The EPICS software must address ONLY location 41000 and higher.An independent address and range check should be made before the read command is sent to the PLC.The operation shall be “Read Only” (Modbus Op code 03).

The registers to be read are given in appendix A.Each register is 16 bits.Data may take the following forms:

Default:16 bit signed integer

Note that the default is also the format for storing discrete data

Other forms:

24-bit IEEE floating point"F"

16-bit Unsigned "U"

32-bit (2x16) unsigned integer "UL"

32-bit (2x16) signed integer "L"

32-bit (2x16) signed "Long-Rational"(L-R) see below

Some values of "long" integers are actually scaled rational numbers, converted from IEEE floating point in the PLC.To properly display the decimal and mantissa portions of the signal the signal should be divided by a number 10^x.

For example,If the PLC used the number PI = 3.1459265, the PLC would store the value as a "long"

Using two contiguous registers

Example: Integer representation of Pi
 
Register
41101
41102
Value (data)
31415
09265

To properly display this value we would have

313159265 / 10^9 = 3.14159265

Signals:

Status I/O


 
Signal
Number of inputs
Type
Range
Units
EPICSAlarm
Datalog
Analog Input raw data
20
Default
0-4095
N/A
N
Arc Current Scaled Data
15
Default
0-400
Amps
Y
Arc Current Scaling Factor
45
Default
Y
Beam Current Scaled Data
12
Default
uA
Y
Y
Beam Current Scaling Factor
24
Default
Y
Tests Status
1
Discrete reg.
Breakdown 16 bit word
N
Beam Energy
6
Default
0-10
GeV
Y
Y
Beam Power
6
Default
0-4095
kW
Y
Y
Warn
6
Y
Log event
Alarm
6
Discrete
Y
Log event
Time to Alarm
6
Default
0-4095
s
Countdown timer
Y
Trip Counter
6
Default
Number representing number of trips since last reset
N
Warn Counter
6
Default.
Number representing number of warns since last reset
N
PLC Status
2
Default
Bad Status sets EPICS flag that data may be bad
Y



The following signals are used for error checking, exception handling, or initialization.It is not required to update this data at the 10 second update rate.Normally any communication errors are initially detected by the LRC or CRC check when performing the register read (function code 03).

2 . Function Code 08: Diagnostics:

This code is used along with sub codes to query the status of the PLC.

Function Code 08:Subcode 00Return Query Data

This code will return the PLC address and an echo of 2 bytes of data that the EPICS program sends as part of the query message.This may be used as a quick check of the integrity of communications and online/offline status of PLCs.

Function Code 08:Subcode 02Return Diagnostic Register

The function may be used as a diagnostic as to the health of the PLC addressed.Normally the data returned should be 00h. Anything other than 00h represents a PLC error.

3. Function Code 17:Report Slave ID:

This is used to check the address and status of an individual PLC.It is used during initialization of the application program or for exception handling or diagnostics.

Byte 2, specifically contains the “run” statusof the PLC and may be used to determine if the PLC is

on or off line.



PLC Addresses:

AreaSystem 1System 2

BSY45

Continuous Error checks:

All errors shall be uniquely identifiable to assist in troubleshooting problems with the system or application.If any of the following errors are detected the software shall declare the data invalid.

1.PLC Addressed = PLC received

2.

3.Address indexing:Shall ensure that Address read not equal to last address unless number of PLCs on line £ 1.

4.The software shall automatically detect if a predefined PLC is online or off-line.If the PLC is off line the software may skip that PLC for up to 1 minute. The software shall detect a PLC that is returned on line within one minute of the PLC returning to the “run” mode.

5.Retries:If communication is lost, the software will retry to establish communications at least 3 times but no more than 5 times.After that the software will generate a communications error for that PLC, place the PLC off the active scan list and will try to reestablish communications per 6.

6.LRC or CRC check on data received by EPICS - Each message fieldfrom the PLC is accompanied by an LRC (Longitudinal Redundancy Check) or CRC (cyclic Redundancy Check).The EPICS software shall support LRC or CRC checking of received data.If the check is bad then the data shall be ignored.The software will then retry the data transfer per 7, above.

7.Exception Response Handling - If the PLC addressed cannot process the data requested by the EPICS software, the PLC will return an exception code containing a modified function code and an exception code.The EPICS software will consider an exception response a communication error and report the exception code.It is imperative that the EPICS software does not mistake an exception response as beam mode register data.

8.Parity Check - each character of the transmitted data will use an even parity.If the parity check fails the EPICS software will ignore the entire message for the addressed PLC.

Communications Error Handling:

A mismatch in any of the RS232 parameters (baud, parity, LRC,…etc.) between the EPICS system and the BEL PLC systems shall not result in an erroneous data or associating the data of one PLC with the address of another.No communication error shall result in an erroneous beam power value.

Overwrites:

Precaution should be observed in the design of the software to ensure that the data passed to other applications cannot be overwritten by other applications.Due care should be given in the design of any application using the beam power data to perform redundant checks of the beam mode status value. This requirement should be reflected in the software documentation for this application.

Interrupt Handling:

Interrupts on the EPICS IOC shall not affect the update rate of the BEL status readbacks.

EPICS records:

EPICS records shall be continuously updated with the actual latest value of the PLC readback.Records shall not be “update on change” only.

All records for this application shall be “read only” by other applications, including “Spy” or similar

utility functions.

The EPICS system shall maintain at least the following records for each PLC:

PLC Address - Decimal address of PLC

Current PLC Mode - Decimal or string value of current PLC mode

Last Mode - Mode of PLC in scan n-1.

PLC Health - 1 = Health good, 0 = Health bad

PLC Mode Status - 0 = valid mode,> 0 = error code, see below:

Bad/non existent address

PLC not responding

Bad State

PLC health status

System Wide records:

The EPICS system shall maintain the following system wide records:

(The numbers given below are for reference purposes only.The application programmer may use descriptive variable names instead of a number.)

Alarms:

In addition to the other alarms identified, the EPICS software should maintain the following alarms

System 1 not equal to System 2 (within 5%)

Communications error.

Data Logging:

A data log event file shall be automatically updated anytime an event occurs

Individual files shall be maintained for a 24 hour period starting at or near 00:00

File format

MM/dd/yyhh:mm:ssLocationParameter DataEventAction

Example:

04/09/9903:33:00System 1Operations Envelope 1060 kWWarnCurrent reduced

04/09/9903:33:20System 1Operations Envelope 1060 kWFaultBeam Shutdown

04/09/99 03:36:00System 1Operator Reset

04/09/9917:24:15System 2Self TestPassed

Simulation Mode: 

Provision can be made to implement a simulation mode where the PLC input data is taken from a user input vs. the actual data from the PLCs.This mode is intended to be used as a tool for certification of the software as well as a diagnostic for troubleshooting problems with the system and it’s interfaces.Use of the simulation mode will result in the electron guns being shut off.

Simulation mode is entered by the operator entering a five character password code.At such time, the input data for the are taken from user inputs either from a file or directly from a user screen.Access to the user screen and the access code shall be strictly controlled.At this time only the Safety System Group Leader or the Deputy Safety System Group Leader shall be able to enable the simulation mode.

All of the following conditions SHALL be true in order for the software to be in simulation mode:

[

(

(The FSD master node is fully Unmasked - mask value = 0000h

AND

The FSD master node is faulted.

)

OR

(

The gun high voltage is OFF = 0V

AND

The FSD Master node is faulted

)

)

AND

The injector BCM read back < 1 uA.

AND

Simulation Mode Code = {value}

AND

Timer > {value}

]

If any of the above conditions are not true then the simulation mode shall not be instantiated.

This logic shall be continuously checked while in simulation mode.

The simulation mode user screen shall include a visible indicator of the simulation mode status.

Once the user enters the password code there shall be a count down timer which will automatically revert back to the operational mode (out of sim mode) in 15 minutes.The timer should start at avalue of

16 minutes and count down to zero. The function should exit the simulation function when the timer reaches 1 minute but the timer should continue down to zero.This overlap is to allow for errors that could be introduced by having a comparisonvalue at zero.

When the timer function is started the software should also check the initial value of the timer to ensure that it equals 16 minutes.If the value does not equal 16 minutes then the software should alert the operator and exit the simulation mode.

The default mode shall be the operational mode.Under no circumstances shall the software be able to automatically switch to the simulation mode.

The default value for the timer shall be zero.

4.0Quality Assurance:

All software applications developed for this requirement shall be bench tested before installation in the field.Preliminary acceptance of the software function shall be by the Safety Systems Group Leader or Designee.

All software developed for this requirement shall undergo a design review by a computer scientist other than the developer.Design review comments and correction plans shall be documented.

Development of this software application should follow accepted good practice for medium to high

integrity software (mission/safety critical) applications.

This software shall be under PSS configuration control as a level 1 device (2).Any changes to the

released software shall require written approval by the acting Safety Systems Group Leader prior to any changes.

Any changes to this software application, the EPICS version, RTOS version, or the IOC CPU the software runs on after final acceptance shall require reverificaiton of the functionality of the application.

The software developed to this specification shall be documented using good practice for software documentation.All documentation should be easily readable by anyone familiar with C language programming and/or EPICS software.

Documentation should include information and/or cautions for the person’s wishing to use the data generated by this application.

All programs, applications, and documentation developed under this requirements document shall follow CEBAF version control procedures.

This software application shall be “owned” by the Controls Software Group.

5.0Security:

All files and data generated from this software application shall be maintained under strict configuration

control.Access to program files, boot scripts, and other information used in the operation of the program shall be strictly maintained.Accessto such files and scripts shall be under the administration of the deputy group leader for software controls.

It shall not be possible to alter this application or comment it out of the IOC boot script with out the explicit approval of the Deputy Group Leader for Software Controls and the Safety Systems Group Leader, or their respective designee.Alteration of this program includes alteration to any function or ancillary program used by this application.

It shall not be possible to change or alter the EPICS records generated by this program.The only exception to this is if a “simulation mode” (see section on …) is implemented.



6.0References:

1.Modicon Modbus Protocol Reference Guide, P1-MBUS-300 Rev. G, Nov. 1994

2.BEl System Description

Revision History:

Revision - Draft

Appendix 1. Validation Checklist

Communications Error Handling


 
Reference
Test 
Description
Expected Response 
RS/232 Errors
Port Disconnected at PLC
RS232 cable is unplugged at PLC end.
Software detects loss of communication. mode read = invalid
Port Reconnected at PLC
RS232 cable is plugged
back in at PLC end.
Software detects PLC back on line.Restores
communication = 1 min
Port Disconnected at IOC
RS232 cable is unplugged at IOC end.
Software detects loss of communication. mode read = invalid
Port Reconnected at IOC
RS232 cable is plugged
back in at IOC end.
Software detects PLC back on line.Restores
communication = 1 min.
PLC Baud>IOC baud
PLC Baud rate set to 
> IOC baud rate.Communication attempted.
IOC detects error.Beam mode read = invalid.
PLC Baud <IOC baud
PLC Baud rate set to < IOC baud rate.Communication attempted. 
IOC detects error.Beam mode read = invalid.
PLC set to no parity
PLC comm.parameters set for no parity.
IOC detects parity error.
Beam mode read = invalid.
IOC set to no parity
IOC comm. Parameters
set for no parity.
PLC detects parity error.Set comm. error status bit.
PLC set to no stop bit
PLC comm. Parameters set for no stop bit.
IOC detects comm. error.
Beam mode read = invalid.
IOC set to no stop bit
IOC comm. Parameters set for no stop bit.
IOC detects comm. error.
Beam mode read = invalid
Initialization Tests
PLC Stopped
PLC logic stopped.
IOC detects PLC stopped.Beam mode = invalid.
Reference
Test 
Description
Expected Response 
PLC Restart 
PLC logic restarted.
IOC detects PLC back on line.Normal comm. restored.
PLC set to ASCII mode
PLC comm parameters set for ASCII Mode.
IOC in RTU mode.
IOC detects comm. error
Beam mode = invalid..
PLC Status error
PLC status error generated.Word > 0.
IOC detects status error. 
Beam mode = invalid.
PLC address not equal to EPICS scan list address
PLC modbus address set to value not equal to address in IOC scan list.
PLC ignores IOC.IOC detects PLC off line.
PLC address in return message not equal to PLC address
PLC status work address
set to different value than
RS232 address.
IOC detects error.Beam mode read = invalid.



Recommended Test Set up:

PC to PLC Modbus connection
IBM AT connection