300 likes | 441 Views
Interlocks for Magnet Protection System. Iván Romera Ramírez , Markus Zerlauth - CERN. Outline. Aim of magnet protection From the design phase until LHC implementation Details of the design Validation testing and operational procedures Conclusions.
E N D
Interlocks for Magnet Protection System Iván Romera Ramírez, Markus Zerlauth - CERN
Outline • Aim of magnet protection • From the design phase until LHC implementation • Details of the design • Validation testing and operational procedures • Conclusions
Magnet powering for superconducting and normal conducting magnets • Machine protection of the LHC starts already with its pre-injectors and the transfer lines • Magnet powering and interlock systems in the SPS, transfer lines and the LHC are more or less identical ~ 40 electrical circuits with 150 nc magnets in the LHC ~ 25 electrical circuits with 800 nc magnets in SPS extractions lines & CNGS ~1600 electrical circuits with 10 000 sc magnets in the LHC
Magnet Protection and Powering Interlock System • LHC is CERNs first (mostly) superconducting machine (>10.000 sc magnets powered in 1700 circuits/ 148 ncmagnets powered in 48 circuits) • Magnet powering system will account for a considerable fraction of beam dump requests due to (e.g. beam induced) magnet quenches, power converter failures, mains failures, etc.. • Due to its complexity and the requirement of flexibility (not all powering failures require beam dumps), the powering interlock systems are separated from the beam interlock system • Due to large stored energies in magnet powering (and other reasons such as max Voltage during energy extraction, easier commissioning, etc…), the LHC powering has been divided into 8 sectors and 28 powering subsectors • Disadvantage is larger equipment inventory, need for tracking between sectors, etc… • Other than in CERNs pre-accelerators, interlocking is not done by direct magnet protection – power converter links but through dedicated powering interlock system (mainly due to complexity and for additional flexibility and diagnostic purposes)
Protection mechanisms for superconducting magnets / circuits Network, UTC, Logging Power Permit Internal failures / Ground Fault Beam Dump Cooling Failures AUG, UPS, Mains Failures Power Converter Normal conducting cables Powering Interlock Controller Superconducting Diode Energy Extraction Quench- Heater QPS HTS Current Leads Quench Signal Magnet 1 Magnet 2 sc busbar DFB
PIC Project History Radiation tests – Additional tests of CPLD in CNGS Commissioning – First commissioning Continued… LHC Series – Fabrication Testing – Radiation, EMC and FMECA Pre Series – Fabrication LHC Design – Main design choices Adjustments Specification – 1st version of Detailed interfaces between main clients Specification – 1st version of Architecture of the Beam and Powering Interlock System String 2 – First prototype operation
Details of the design • Interlocks for magnet protection are designed following the basic MP principles • FAILSAFE: System must be safe by design (stop operation if system doesn’t work) • REDUNDANT: All critical paths are redundant • CRITICAL ACTIONS BY HARDWARE: No software involved on critical path • DEPENDABLE SYSTEM: Safety/Availability/Reliability • MASKING: Only possible if safety is not compromised (useful for commissioning)
Powering Interlock System for sc magnets (PIC) Powering Interlock System for sc magnets (PIC) • Powering Interlock System is assuring correct powering conditions for sc magnet circuits during all operation operational phases • Interfaces with Quench Protection and LHC Power Converters (several 1000s of channels each) and technical infrastructure (UPS, AUG, Cryogenics, Controls) • Distributed system, installation close to main clients calls for EMC and radiation tolerant design • Handling very large stored energies (GJ), system must be fast and reliable • Represents 25 % of user inputs to the Beam Interlock System, thus calls for dependable design
Main functionalities & requirements • Powering Interlock System (PIC) assures that all conditions for safe magnet powering are met: • Upon Start-up • During operation • Protection on a circuit by circuitbasis • Additional protection mechanisms on a powering subsector basis • Linking magnet powering to technical services & safety systems (UPS, AUG, Cryogenics) • Linking magnet powering to Beam Interlock System • Provide the evidence of powering failures to operations
Conditions for powering Cryogenics: Magnetandcurrent leadsmust be at correct temperature Safety systems: must be ready (AUG – arret urgence general, UPS – uninterruptible power supplies, …) Power converter: must be ready (including cooling water etc.) Quench protection system: must be ready (quench heaters charged, extraction switch closed) Power converters Operator / Controls: must give permission to power Powering Interlock Controller (PIC) Energy extraction Warming up of the magnet due to failure in the cryogenic system Warming up of the magnet due to quench in an adjacent magnet AUG or UPS fault Power converterfailure Quenchin a magnet inside the electrical circuit
Architecture • 28 powering subsectors, each managing between 5-48 circuits • 36 Powering Interlock Controllers (2 for long arcs)
Powering Interlocks – the circuit level PIC DFB Magnet • All conditions met for powering: PC_PERMIT • Sum of internal converter faults: POWERING_FAILURE • Magnet quench or Fast Abort from PIC:PC_FAST_ABORT • Loss of coolant:PC_DISCHARGE_REQUEST Cryostat Magnet Magnet … PC_PERMIT QPS PC PC_FAST_ABORT CIRCUIT_QUENCH POWERING_FAILURE PC_DISCHARGE_REQUEST DISCHARGE_REQUEST • No direct connection Magnet Protection – Converters, but use of industrial controllers (PLCs) • Protection signals are exchanged via hardwired current loops • Depending on stored energy, circuit complexity, QPS, etc.. in between 2-4 signals are exchanged / circuit
Interlock Types PC_PERMIT QPS PIC PC Interlock Type A (=13kA main + IT) CIRCUIT_QUENCH PC_FAST_ABORT POWERING_FAILURE PC_DISCHARGE_REQUEST DISCHARGE_REQUEST PC_PERMIT_B1 PC PC_PERMIT_B2 QPS PIC PC Interlock Type B2 (=all quads of IPQD) PC_FAST_ABORT CIRCUIT_QUENCH POWERING_FAILURE PC_PERMIT QPS PIC PC Interlock Type B1 (=600A EE, 600A no EE, 600A no EE crowbar + all dipoles of IPQD) PC_FAST_ABORT CIRCUIT_QUENCH POWERING_FAILURE PC_PERMIT PIC PC Interlock Type C (= 80-120A) POWERING_FAILURE
Powering Interlocks – ‘global’ interlocks DFB Magnet CRYO_MAINTAIN Cryostat Magnet Magnet … PC QPS PC QPS PC_PERMIT QPS 1 PIC PC PC_FAST_ABORT CIRCUIT_QUENCH x M x N POWERING_FAILURE PC_DISCHARGE_REQUEST DISCHARGE_REQUEST • Global interlocks • In addition to circuit/circuit treatment, global interlocks will provoke runtime aborts of ALL circuits in a subsector. Exchanged via hardware or between PLC-PLC AUG_OK UPS_OK Quench_propagation
Powering Interlocks – start-up interlocks QPS_OK, CRYO_START, UPS_START, CABLE_CONNECT, CONFIG_DATA QPS_OK CRYO_START CRYO SCADA QPS SCADA PIC SCADA Surface – ‘Software’ signal exchange Tunnel – Hardwired signal exchange PC_PERMIT QPS PIC PC PC_FAST_ABORT CIRCUIT_QUENCH POWERING_FAILURE PC_DISCHARGE_REQUEST DISCHARGE_REQUEST • Start-up interlocks • In addition to hardwired interlocks, several software interlocks exist • Exchanged via CMW, DIP, etc between SCADA systems • Verified ONLY upon start-up, thus not provoking aborts during powering
Interface to Beam Interlock System (1/2) PIC USER_PERMIT_B USER_PERMIT_B USER_PERMIT_A USER_PERMIT_A BEAM_INFO MASKABLE ESSENTIAL + AUXILIARY UNMASKABLE ESSENTIAL CIBU (ESS) CIBU (AUX) BIC • Both user permits signals needed for redundancy • Removal of a single USER_PERMIT triggers a Beam Bump Request • BEAM_INFO signal for monitoring purpose • Beam dump decision taken by the BIC
Interface to Beam Interlock System (2/2) SIEMENS319CPU Max 16 Inputs / Patch Panel Max 96 Inputs / Total PROFIBUS MATRIX ESSENTIAL + AUXILIARY CIRCUITS ESSENTIAL CIRCUITS = UNMASKABLE BEAM DUMP REQUEST OF THIS PIC = MASKABLE BEAM DUMP REQUEST OF THIS PIC • XILINX XC95144 CPLD is used for redundancy and speed in beam dump request for Powering Interlock System
Mechanisms for secure configuration (1/2) • LHC Functional Layout Databaseas unique source of information • Configuration data required for PLCs, CPLDs and SCADA • Consistency guaranteed with strict versioning scheme and approval process before migration to new data version • Dedicated script for the generation of configuration data • Files signed with Cyclical Redundancy Check (CRC) • SCADA configuration file will contain all checksums for validation • Flexibility for Commissioning • No changes during operation without repeating all commissioning procedures!!
Mechanisms for secure configuration (2/2) PVSS DB Version PLC HW CRC PLC SW CRC Version Matrix CRC Ethernet PLC PLC PLC Version PLC HW CRC PLC SW CRC PUBLISH … PROFIBUS PROFIBUS PROFIBUS matrix matrix matrix Version Matrix CRC
EMC and Radiation tests • 2009 – Radiation Equipment installed in CNGS (Proton target) • 2x10e13 p/cycle, 20-30Gy/week • 4x8=32 CPLDs on dedicated boards • Identical SW as used in the LHC devices, with remote monitoring (RS485 line drivers and PXI in control room) • Labview program to change address lines and input states of CPLD • Setup is constantly comparing against each other the outputs of 32 CPLDs • Readout of critical path separated from monitoring part • Conclusions: • 3 ‘events’ in monitoring part detected • NONE critical path • Potential destructive latch-up of one CPLD after 75 Gy (tbc) • 2004 – Radiation tests in Louvaine to validate main components (opto-couplers, AC/DC,…)
Powering Interlock System – Building blocks • Distributed system over the whole LHC circumference, completely installed underground to remain close to clients • 36 industrial controllers SIEMENS PLC 319 (‘normal’ PLC, ie non-safety but optimized for speed - 1ms cycle time) • 8000 remote I/O channels using compact (non-SIEMENS) modules with 32 I/Os each • Total of ~500 electronic cards (designed in-house) • 41 km of signal cables linking systems to main clients (QPS and power converters) • Redundant power supplies throughout the system (known to be weakest link in terms of MTBF)
Validation testing and Operational Procedures Operator Console in the Field Control Room • Signal mapping and SCADA functionality • Supervision links in between systems • Loading and transfer of configuration files Ethernet Technical Network PLC in non-radiation area • Functionality of the PLC Program • Integrity of hardwired protection signals >2300 fail safe current loops with PCs, QPS, AUG, UPS, BIC Profibus Remote I/O close to clients PC_PERMIT QPS Power Converter CIRCUIT_QUENCH PC_FAST_ABORT POWERING_FAILURE DISCHARGE_ REQUEST PC_DISCHARGE_ REQUEST
Individual System Tests and Short Circuit Tests • Individual System Tests • 100% automated functional test in the lab (no HW failure yet in tunnel after 4 years of operation) • Preparation and repository archiving (PIC1 and PIC2 = operation) • Installation in the tunnel • Short circuit tests • Interlock commissioning for 13kA circuits and participation to heat runs • Interface tests with PC and QPS (to detect major cabling problems) • System fully operational for all circuits during heat runs (without QPS equipment)
Interlocks Commissioning – PIC1 and PIC2 • Interlocks Hardware Commissioning (PIC1 & PIC2) • During the 2 main HWC ~ 6000 tests have been performed to validate to 100% the powering interlock system • ~920 circuits being physically connected to the PIC • depending on circuit type between 2 – 14 tests to be done) • Due to >> # tests, automated tools developed for execution & validation • Only after successful completion of ALL interlock tests declared operational Sequencer to automate test execution Analysis tools to automate test validation
Conclusions • Powering Interlock System along with its clients assures that all conditions for safe powering are met at any time • Safety critical protection on a circuit by circuit level via hardwired interlocks • Additional protection mechanisms on powering subsector level, while allowing some flexibility for installation and commissioning • Supplementary software interlocks for start-up • During commissioning ONLY, some of these start-up interlocks can be masked by the expert (but masks clearly visible) • Only after full interlock commissioning, system is considered operational • Efforts for rigorous design and testing did pay off • not a single non-conformity in interlock systems during commissioning 2009 • not a single critical component failure since installation in 2006 • No modifications or tampering with interlocks after this phase
END Thank you for your attention
Warm Magnet Interlock System (WIC) • Classical protection of nc magnets via thermo-swicthes, flow-meters, emergency stop buttons, etc… • Use of industrial PLCs and remote I/O modules, relatively slow system • In LHC ‚only‘ 45 circuits powering 149 magnets in LHC Power Converter Status info Warm magnet Interlock Controller Power Permit Several thermo-switches @ 60°C Thermoswitches Water Flow Red button… Magnet 1 Magnet 2
Hardwired signals - Power Permit Loop +15 ,,, 24 V Cable PIC-PC Powering Permit: CMD_PWR_PERM_PIC Switch closed: permission for powering Switch open: no permission for powering ST_UNLATCHED:PWR_PERMIT Signal present: Powering permitted Signal to FALSE: Powering not permitted (latched) GND Power Converter Powering Interlock Controller by R.Schmidt LHC-D-ES-0003-10-02
Hardwired signals – Circuit Quench Loop Circuit Quench ST_CIRCUIT_OK_QPS Switch closed: no quench Switch open: quench +15 ,,, 24 V Quench detection Energy extraction 600 A Signal present: no Fast Power Abort ST_ABORT_PIC Signal not present: Fast Power Abort ST_FAST_POWER_ABORT Signal present: no Fast Power Abort Signal to FALSE: Fast Power Abort ST_FAULTS:FAST_ABORT Signal present: no Fast Power Abort Signal to FALSE: Fast Power Abort (latched) PIC Fast Power Abort Request CMD_ABORT_PIC Switch closed: operation ok Switch open: Fast Power Abort GND Powering Interlock Controller Power Converter