Dear Konstantin,
So let me retract the term "safety issue" then, it was more a request/question for this type of
info between the fe and the odb.
We have most of what you mention:
* The HV hardware has current limits
* The Hardware has fixed ramping limits.
same for the software.
The issue occurs when e.g. one channel can not be turned on and ramp for some temp/specific
reason, and someone else is working on the daq and reloads the odb for e.g. 1h ago.
> > We have encountered a safety issue with our HPGe HV and it's midas frontend.
>
> At TRIUMF and other labs the words "safety issue" have very specific meaning and
> we tend to follow this guidance: MIDAS is not certified for and is not intended for use with
> safety critical applications as defined here:
> https://en.wikipedia.org/wiki/Safety-critical_system
>
> > A safety-critical system ... malfunction may result in ... following outcomes:
> > death or serious injury to people
> > loss or severe damage to equipment/property
> > environmental harm
>
> If this is your case, you should use properly certified software *and hardware*. Safety
> officers at most institutions require certified hardware interlocks and other protections to
> prevent such undesirable outcomes. Use of certified PLCs is sometimes permitted.
>
> But I suspect in your case, there is no "safety issue", you only want to protect some
> valuable but not critical equipment against accidental damage.
>
> In this case, you can probably use midas, but if midas malfunction may result in destroying
> your experiment (i.e. accidentally set wrong voltage on 3000 phototubes), you should also
> have hardware based protections (hardware limits on max/min high voltage). Most HV
> power supplies implement such protections (screw-driver actuated max voltage limits).
>
> If there is danger of destroying your experiment you should also have an independent
> review of your control system to avoid avoidable mistakes and obvious problems.
>
> > Turning off or changing HV unknowingly has to be avoided at all costs
>
> The function of changing high-voltage is implemented in your frontend program. Right in
> the place in this program where you transmit the voltage setting from ODB to the hardware
> is where you implement your protections (validate the voltage range, check that changing
> the voltage is permitted, etc). This protects you against unexpected/incorrect/erroneous
> changes in ODB (wrong ODB is loaded, wrong values in ODB, ODB is corrupted, etc).
>
> In addition, it is wise to set software based limits in the HV power supply (software
> controlled max high voltage, software controlled max current, etc). Most HV power supplies
> implement such functions.
>
> To ensure high voltage cannot be changed at the wrong times, you can also implement
> procedural and hardware protections, such as unplug the power supply control connection
> (usually ethernet or serial or usb cable). This will prevent you from monitoring the high
> voltage currents and the only solution is to use a power supply with a hardware "write
> protect" function (a key needs to be inserted and turned to allow changing anything).
>
> All of this is generic and applies to any controls software, not just MIDAS.
>
> Without at least some of these protections (especially protections in your frontend
> program), the questions you asked about loading ODB are insufficient.
>
> K.O. |