Simplifying Cyclotron Safety

Programmable safety systems eliminate excessive wiring of hard-wired relays

Michigan State University’s National Superconducting Cyclotron Laboratory (NSCL), located on its East Lansing, MI, campus, currently operates two cyclotrons: the K500 — the first superconducting cyclotron — and the K1200 — presently the world’s highest energy continuous beam accelerator. Recently these cyclotrons have been coupled in tandem, greatly increasing the beam intensity for exploring rare exotic isotopes. Both accelerators require a surround of four feet of concrete plus two feet of steel to act as a safeguard against radiation. But physical barriers are not enough; keeping students and researchers at the laboratory safe from contamination also depends on the reliability of an electronic safety system.

A cyclotron guides the nuclei of atoms magnetically into a beam and, using RF, accelerates them electrically into a target, where they smash into other nuclei to produce newly formed isotopes and reveal the basic building blocks of matter. At the same time, these collisions can produce high or lethal amounts of radiation in the form of neutrons and photons. Inside a concrete bunker with a concrete door, called “the vault,” the beam of nuclei is accelerated and sent down along an evacuated tube. Superconducting magnets positioned around the tube redirect the beam into one of various other tubes and then finally sent to an experimental end-station, also located in a vault.

As NSCL senior physicist, Reginald Ronningen explains, “The vaults enclosing the cyclotron and experimental areas exclude personnel and greatly reduce the level of radiation outside the vaults. We are keeping personnel out because the accelerators produce radiation that could be harmful or deadly, depending on the situation. Once people are outside the vault, it is closed. Then, only under certain conditions can the accelerator be started. We also have a system of radiation detectors. When radiation levels get too high in occupiable areas, we can send signals to the safety processor to turn the accelerator’s power off so that it doesn’t create a hazardous environment.”

Safety interlocks are used throughout the cyclotron’s area. To enter the main area of the cyclotron vault, the operator unlatches a series of gates that have safety interlocks. Within the vault are push buttons with safety contacts and associated timers that start when the buttons are pushed. The area has to be closed in a specific sequence for the lock-down to progress. If only one gate is unlocked or one button is not pushed, the cyclotron will not start. Once all personnel leave that area, the operator locks different areas that proceed away from the cyclotron. When all areas within the vault are secure, the operator closes the shielding door — which also has safety switches — behind him. When the cyclotron area is clear of all personnel, all gates are locked, and the door is closed, only then can the cyclotron start. The problem is coordinating all of these buttons, gates, radiation detectors and other safety devices without having multiple PLCs and miles of wiring. The safety system must also have the ability to check switch contacts by sending signals to them to make sure they are properly functioning.

Among several ways to create a safety system, the easiest and least expensive is with a simple hard-wired relay system. “The initial cost is low, but it has a high cost of ownership if changes need to be frequently made, “ says Ronningen. Many manufacturers make relays that are connected to a PLC in a field-bus system to control safety devices. However, the technical demands on these types of safety systems are enormous because they must demonstrate fail-safe capability in accordance with established ANSI and OSHA safety standards to obtain proper approvals. Additionally, relays are subject to error functions such as bouncing, contamination, burning or contact welding, which compromises their ability to maintain a safe system.

When more safety devices are added into a relay system, wiring can become extremely complicated. The standard PLC itself can be another problem, as failure mode is not predictable. The preference during PLC failure is for the experiment to be terminated. However, in a worst-case scenario, it could instead open all the circuits on the safety devices, allowing the equipment to continue to run — an unacceptable hazard.

Specifically-designed safety relays are guaranteed to fail in a pre-defined safe condition. The safety relay, or safety interface module, consists of several components, including positively guided relays that are designed in a circuit to provide a redundant output. Also, a checking circuit detects not only internal relay faults, but faults in the safeguard wiring as well. Some relays use a redundant 3-channel system that detects shorts or open/closed contacts. A feedback control loop monitors external relays and contacts.

The next step with a complicated safety application is to use a programmable safety system (PSS) with a PLC that is designed for safety applications and has built-in redundancy and I/O modules. While these systems are more costly than a relay system, they are vastly simpler and offer scalability and flexibility and a guaranteed shut-off under PLC failure condition. A PSS takes over safety functions and standard functions in a control system and can even monitor an entire facility with hundreds of safety devices.

Ronningen says they found a system to accomplish their needs in the 3100 SafetyBUS p PSS, made by Pilz Automation Safety LP, Canton, MI. Without this type of system, he says, “We’d have to use several different processors to develop a safety system and they wouldn’t have the same ability as the expandable Pilz product. It would have been a nightmare.” This system is used with local DI, DO and DOT modules and DI-808 and DI-16 remote digital I/O modules (used to connect the safety devices).

Instead of having hundreds or thousands of feet of wiring to connect many relays, this bus system uses just one cable to hook together all the remote I/O modules. These modules then connect directly to the safety devices (or the safety devices can hook directly to the PSS). The system can also be interfaced to standard fieldbus systems such as DeviceNet or ControlNet for communication with the system control, diagnostics and data routing. Remote modules can be placed up to 11,343 ft away. These stand-alone I/O modules (8 inputs/8 outputs or 16 inputs) can be used to query transducers (e.g. emergency on/off switches, protective doors, two-hand switches) or to control actuators such as contacts. It is designed for Category 4 in accordance with EN 954-1 or AK6 in accordance with DUN 19250, thereby guaranteeing unrestricted implementation in safety applications.

Ronningen says, “The Pilz system works out very nicely for us because we can distribute all the safety devices with it. Outside of each vault used for experiments we plan to have a DI-16 and a DI-808 for the vault security devices and then those will be connected via the SafetyBUS p back to the main PSS processor.” To make sure the safety system is completely functional, Ronningen adds that they do quarterly tests, where simulations are done. “We do tests and inspections of devices. This is mandated by state regulations."

Ronningen explains that they chose to use this company because “We hadn’t seen anything else out on the market that compared to it. It was a joint decision between our electrical engineering department — the experts who really know the processors — and our safety group.” The choice has saved both time and money for the facility, says Ronningen. “After all, if you have to use two or three standard processors, you are paying for the hardware and the time to integrate them. With some of our applications we have 100 or more inputs to the SafetyBUS p system. And the nice thing about it is that we can always add more. Our lab looks different now from what it did just last summer. Who knows what our capabilities will be five years from now?”

—SG