© 1987 IEEE. Personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution to servers or lists, or to reuse any copyrighted component of this work in other works must be obtained from the IEEE. A MICROPROCESSOR BASED STATUS CONTROL AND INTERLOCK PROTECTION SYSTEM FOR THE SRS

> B.G. Martlew, D.G. Peters and D.E. Poole SERC Daresbury Laboratory, Warrington WA4 4AD, England

### Abstract

Recently the status control and interlock protection sub-system of the SRS control system has been redesigned. Previously, a hardware-intensive approach was taken with separate interface modules for each type of controllable device. The new design utilises a microprocessor in a G64 system which gives greater versatility and flexibility by using software to handle the differences between the many types of device that have to be interfaced to the system, resulting in fewer module types of much simplified design. This has also led to a considerable reduction in both the size and cost of the new system compared to the old, while still retaining complete compatibility with the existing control system software. This 'Mk II' system has now been installed and commissioned on several beam lines and beam ports of the SRS and will be used for all future additions to the SRS control system.

### Introduction

The SRS computer control system has now been in operation for several years and has proved reliable and versatile. However, technology has progressed considerably since the system was designed and it was decided that one part of the system in paticular, the status control and interlock monitoring system, would benefit from a complete redesign incorporating microprocessors. This paper describes the essential features of the re-designed status system.

#### Control system overview

The SRS control system is based on a two-level network of 32-bit computers (Concurrent Computer Corporation 3200 series) as shown in fig.1. The main computer provides the operator interface, network support and provides a wide range of application software [1]. It consists of a Model 3220 processor, 1 Mbyte of RAM, a 20 Mbyte fixed disc and a 20 Mbyte removable disc. The model 3205 minicomputers handle the flow of data and commands from and to the plant. All plant interfacing is achieved using a CAMAC serial highway driving a number of plant control stations, each of which contain one or more CAMAC crates. The inter-computer networking and interfacing to operator consoles etc. are also handled by CAMAC interfaces.



Fig.1. SRS control system layout.

Within the 3205s plant control is divided into three distinct sub-systems: i) Analogue input, ii) Analogue output and iii) Status I/O. Types (i) and (ii) are easily provided for by ADCs in the CAMAC crates or by other types of analogue interface eg. stepper motors. The status interfacing, however, requires a more extensive system of plant control and interlock monitoring hardware. All status control associated with a control station is handled by a number of 'status controllers' which interface to CAMAC via a 24 bit digital I/O module in the CAMAC crate.

### Status system

## Function

The function of the status system is twofold. Firstly, it provides an interface between the operator and the plant to allow remote operation and monitoring of plant status. Secondly, it provides interlock protection of plant where required. Each plant item connected to the status system may have up to 16 separate interlocks associated with it. These interlocks may be either physical contacts, such as a water flow sensor, or software generated interlocks, such as an indication of the present status of another related plant item.

These two functions are clearly related. Obviously, the operator must be prevented from operating any device which has incomplete interlocks and he must also be provided with an indication of which interlock(s) has/have failed to allow him to take appropriate action. For the sake of brevity the combined status control and interlock monitoring system will be referred to simply as the 'status system'.

### Hardware

The general arrangement of the status system is shown in fig.2. Physically, the status controller is located as close as possible to the CAMAC crate through which it is interfaced to the control system computers, the motherboards and interface modules are situated as near as possible to the plant to be controlled.



Fig.2. Status system structure.

Interface to CAMAC. As stated above, the link between CAMAC and the status system is provided by a digital I/O module. This provides a bus consisting of 16 input lines (combined address and command) and 16 output lines (data only). This bus may be used to communicate with up to 16 status controllers connected in a 'daisy-chain' fashion. Each status controller can handle up to 30 separate plant items.

Status controller. The status controller (shown in fig.3) is the central element in the status system. It is implemented using a G64 bus [2] and uses four plug-in cards, one processor/memory card and three interface cards. The processor/memory card is commercially available and contains a Motorola MC6809 microprocessor, 8 Kbytes of SRAM, 16 Kbytes of EPROM, an RS232 interface and a timer/counter. The three interface cards have all been designed at the Laboratory.



Fig.3. Status controller.

The RS232 interface is used to communicate with a portable computer or terminal. This is used to provide local control during commissioning or de-bugging of the system.

In order to prevent software 'lock-up' from occurring several error detection features have been designed into the hardware. These include a watchdog timer which will cause the software to reset unless it is provided with regular timing pulses from within the software. The interface cards also detect certain 'illegal' conditions and signal the processor via an interrupt. While these systems cannot be guaranteed to fail safe, these self-checking features make them as good as conventional relay logic in this respect.

A crate with a single set of power supplies houses two six-slot G64 backplanes and so accommodates two independent status controllers.

<u>Highway</u>. The status controller communicates with plant interface modules via a multiplexed highway. This highway is required to operate over several tens of metres in electrically noisy environments. For this reason the highway uses 24 V logic levels and careful filtering to improve noise immunity. All modules connected to the highway must use opto-isolation on all inputs and high-current, high-voltage drivers on all outputs. The highway consists of 22 fully decoded address lines (no address decoding is needed on the interface modules), 16 bi-directional data lines, four control lines and eight power lines (all the interface modules receive their power from the status controller via the highway).

A terminator card is fitted to the end of the highway. This provides resistive termination of all

signal lines and also contains active circuits which are regularly interrogated by the controller to check the integrity of the highway during operation.

Interface modules. The interface modules provide the link between the status system and the plant. Each interface module consists of a single Eurocard (160 mm  $\times$  100 mm) and is capable of driving two independent plant items.

Each plant item is provided for by three relaydriven outputs and three opto-isolated inputs together with 16 interlock inputs. To allow maximum flexibility of the system the exact functions of these inputs and outputs are defined in the software. This means that a single design module is capable of handling a wide range of different plant items. However, there are some devices which require specialised interface modules, and any extra features are incorporated by omitting the second channel and using the whole board for one, more complex, interface. Physically, the interface modules are mounted on a motherboard which provides all the signals and power that the modules require from the highway.

# Software

The status system software is written entirely in assembler. This is for several reasons.

1) Fastest possible execution speed - this is essential for rapid response to interlock failures.

2) Programmer has complete control over the processor - this is not usually the case with a high level language/operating system combination.

3) Compactness - use of assembler allows the size of the software to be kept to a minimum. At present, the software occupies 6-7 Kbytes of memory.

The software consists of a main control loop which continually monitors the status and interlocks of every plant item connected to the system. These data are then processed by one of several 'driver' routines. The drivers contain all the device-specific code and, if necessary, send a new command to the relevant interface module. Also included in the control loop is a diagnostic routine that handles all local control requests.

Various interrupt routines exist which deal with I/O requests from the main control system computer, hardware error conditions, system time-keeping and power-on initialisation.

The software is table-driven and the EPROM containing the system code is identical for all systems. A database defining the function of each interface address and the configuration of the interlocks is prepared on a separate development system and blown into a data EPROM which is unique for each system.

#### Future developments

It is intended to replace the two status highway driver cards by a single card using a purposedesigned gate-array, gaining reliability by the elimination of many separate ICs and an inter-board connector.

The interface module also lends itself to great simplification by changing to a gate-array, and will probably be converted because the numbers required will make it economically viable.

## Summary

This system has been in use on parts of the SRS for nearly two years. During this time there have been several minor problems, mostly due to software errors, which have generally been fixed within 2/3 hours. One of the major requirements of the system was that it should be completely compatible with the existing status system from the control system computer point of view. This has been achieved - both old and new systems are happily working side by side in several places on the SRS.

## References

- [1] D.E. Poole, W.R. Rawlinson and V.R. Atkins "The Control System for the Daresbury Synchrotron Radiation Source", in Proceedings of the Europhysics Conference on Computing in Accelerator Design and Operation, Berlin, September 1983.
- [2] GESPAC-SA, G64 Specification manual, February 1984.