EP-ESE Electronics Seminars

A safety and reliability perspective of the CERN RadiatiOn Monitoring Electronics (CROME)

by Hamza Boukabache (CERN), Katharina Ceesay-Seitz (CERN), Saskia Kristina Hurst (CERN)


Zoom details are in the invitation email.

Make sure you have the latest Zoom client app to be able to connect https://cern.zoom.us/ -> Download client


Ionizing radiation monitoring is one of the main concerns of the Radiation Protection Group at CERN. After 30 years of reliable service, the ARea CONtroller (ARCON) system has reached the end of its lifecycle and is currently being replaced by new, more efficient radiation monitors with a high level of modularity to ensure better maintainability.  The new CERN RadiatiOn Monitoring Electronic (CROME) system has new detection front-ends that are capable of measuring very low dose rates down to 50 nSv h−1, whilst being able to measure radiation over an extensive range of 9 decades without any auto scaling. To reach these performances, the CROME Measurement and Processing Unit (CMPU) uses a versatile architecture that includes new read-out electronics developed by the Instrumentation and Logistics section of the CERN Radiation Protection Group as well as a reconfigurable system on chip (Xilinx Zynq-7000) capable of performing complex processing calculations. The FPGA section of that SoC implements several highly-parametrizable algorithms to calculate the dose rate and determine the values of safety-critical outputs that trigger alarms and machine interlocks. They are based on around 150 run-time configurable parameters and on the measurements received from the front-end electronics.

Being a safety system, CROME has to be compliant with both radiation monitoring standards  and with Safety Integrity Level 2. Our talk will start with an overview of the CROME System, its high level architecture as well as its detection performances. Then we will present the verification of the hardware safety integrity according to the IEC 61508 standard, which is related to random hardware failures. This verification includes the calculation of the probability of dangerous failure per hour (PFH) and the assessment of the “architectural constraints”. Architectural constraints are introduced, as they give the necessary constraints on the system architecture to ensure sufficient fault tolerance.

Next we will introduce our functional verification methodology that is used to reduce the risk of systematic faults. We will give an introduction to constrained-random simulation with functional coverage with the SystemVerilog Universal Verification Methodology and to Formal Property Verification with SystemVerilog Assertions. Then we will detail our methodology and specific verification challenges like the high number of parameters and the continuous real-time operation of the devices. Finally, we will present the results that we achieved with both methods so far. The talk will be concluded with an outlook to the further development and operation activities related to CROME and its future.