Presentation is loading. Please wait.

Presentation is loading. Please wait.

Interlocks for Magnet Protection System Iván Romera Ramírez, Markus Zerlauth - CERN.

Published byEunice Butler Modified over 8 years ago

Similar presentations

Presentation on theme: "Interlocks for Magnet Protection System Iván Romera Ramírez, Markus Zerlauth - CERN."— Presentation transcript:

1 Interlocks for Magnet Protection System Iván Romera Ramírez, Markus Zerlauth - CERN

2 Interlocks for Magnet Protection System Outline  Aim of magnet protection  From the design phase until LHC implementation  Details of the design  Validation testing and operational procedures  Conclusions 2

3 Interlocks for Magnet Protection System Magnet powering for superconducting and normal conducting magnets ~1600 electrical circuits with 10 000 sc magnets in the LHC ~ 40 electrical circuits with 150 nc magnets in the LHC ~ 25 electrical circuits with 800 nc magnets in SPS extractions lines & CNGS  Machine protection of the LHC starts already with its pre-injectors and the transfer lines  Magnet powering and interlock systems in the SPS, transfer lines and the LHC are more or less identical

4 Interlocks for Magnet Protection System Magnet Protection and Powering Interlock System  LHC is CERNs first (mostly) superconducting machine (>10.000 sc magnets powered in 1700 circuits/ 148 nc magnets powered in 48 circuits)  Magnet powering system will account for a considerable fraction of beam dump requests due to (e.g. beam induced) magnet quenches, power converter failures, mains failures, etc..  Due to its complexity and the requirement of flexibility (not all powering failures require beam dumps), the powering interlock systems are separated from the beam interlock system  Due to large stored energies in magnet powering (and other reasons such as max Voltage during energy extraction, easier commissioning, etc…), the LHC powering has been divided into 8 sectors and 28 powering subsectors Disadvantage is larger equipment inventory, need for tracking between sectors, etc…  Other than in CERNs pre-accelerators, interlocking is not done by direct magnet protection – power converter links but through dedicated powering interlock system (mainly due to complexity and for additional flexibility and diagnostic purposes)

5 Interlocks for Magnet Protection System Protection mechanisms for superconducting magnets / circuits Magnet 1 Power Converter Magnet 2 HTS Current Leads sc busbar DFB Internal failures / Ground Fault Cooling Failures Network, UTC, Logging Beam Dump AUG, UPS, Mains Failures Normal conducting cables Quench Signal Superconducting Diode Energy Extraction Quench- Heater QPS Powering Interlock Controller Power Permit

6 Interlocks for Magnet Protection System PIC Project History String 2 – First prototype operation LHC Design – Main design choices Adjustments Pre Series – Fabrication Specification – 1 st version of Architecture of the Beam and Powering Interlock System Specification – 1 st version of Detailed interfaces between main clients Testing – Radiation, EMC and FMECA LHC Series – Fabrication Commissioning – First commissioning Continued… Radiation tests – Additional tests of CPLD in CNGS

7 Interlocks for Magnet Protection System Details of the design  Interlocks for magnet protection are designed following the basic MP principles FAILSAFE : System must be safe by design (stop operation if system doesn’t work) REDUNDANT : All critical paths are redundant CRITICAL ACTIONS BY HARDWARE: No software involved on critical path DEPENDABLE SYSTEM : Safety/Availability/Reliability MASKING : Only possible if safety is not compromised (useful for commissioning) 7

8 Interlocks for Magnet Protection System Powering Interlock System for sc magnets (PIC) 8  Powering Interlock System is assuring correct powering conditions for sc magnet circuits during all operation operational phases  Interfaces with Quench Protection and LHC Power Converters (several 1000s of channels each) and technical infrastructure (UPS, AUG, Cryogenics, Controls)  Distributed system, installation close to main clients calls for EMC and radiation tolerant design  Handling very large stored energies (GJ), system must be fast and reliable  Represents 25 % of user inputs to the Beam Interlock System, thus calls for dependable design

9 Interlocks for Magnet Protection System9 Main functionalities & requirements  Powering Interlock System (PIC) assures that all conditions for safe magnet powering are met: Upon Start-up During operation  Protection on a circuit by circuit basis  Additional protection mechanisms on a powering subsector basis  Linking magnet powering to technical services & safety systems (UPS, AUG, Cryogenics)  Linking magnet powering to Beam Interlock System  Provide the evidence of powering failures to operations

10 Interlocks for Magnet Protection System10 Conditions for powering Cryogenics: Magnet and current leads must be at correct temperature Power converter: must be ready (including cooling water etc.) Quench protection system: must be ready (quench heaters charged, extraction switch closed) Quench in a magnet inside the electrical circuit Warming up of the magnet due to failure in the cryogenic system Warming up of the magnet due to quench in an adjacent magnet AUG or UPS fault Power converter failure Powering Interlock Controller (PIC) Safety systems: must be ready (AUG – arret urgence general, UPS – uninterruptible power supplies, …) Power converters Energy extraction Operator / Controls: must give permission to power

11 Interlocks for Magnet Protection System11 Architecture 28 powering subsectors, each managing between 5-48 circuits 36 Powering Interlock Controllers (2 for long arcs)

12 Interlocks for Magnet Protection System12 QPS PC CIRCUIT_QUENCH POWERING_FAILURE PC_PERMIT PC_FAST_ABORT DISCHARGE_REQUEST PC_DISCHARGE_REQUEST Powering Interlocks – the circuit level PIC Magnet Cryostat Magnet DFB Magnet …  All conditions met for powering: PC_PERMIT  Sum of internal converter faults: POWERING_FAILURE  Magnet quench or Fast Abort from PIC: PC_FAST_ABORT  Loss of coolant: PC_DISCHARGE_REQUEST  No direct connection Magnet Protection – Converters, but use of industrial controllers (PLCs)  Protection signals are exchanged via hardwired current loops  Depending on stored energy, circuit complexity, QPS, etc.. in between 2-4 signals are exchanged / circuit

13 Interlocks for Magnet Protection System13 PC QPS PIC PC CIRCUIT_QUENCH POWERING_FAILURE PC_PERMIT PC_FAST_ABORT DISCHARGE_REQUEST PC_DISCHARGE_REQUEST Interlock Type A (=13kA main + IT) QPSPICPC CIRCUIT_QUENCH POWERING_FAILURE PC_PERMIT PC_FAST_ABORT Interlock Type B1 (=600A EE, 600A no EE, 600A no EE crowbar + all dipoles of IPQD) QPS PIC PC CIRCUIT_QUENCH POWERING_FAILURE PC_PERMIT_B2 PC_FAST_ABORT Interlock Type B2 (=all quads of IPQD) PICPC POWERING_FAILURE PC_PERMIT Interlock Type C (= 80-120A) Interlock Types PC_PERMIT_B1

14 Interlocks for Magnet Protection System14 PC QPS 1 PIC PC CIRCUIT_QUENCH POWERING_FAILURE PC_PERMIT PC_FAST_ABORT DISCHARGE_REQUEST PC_DISCHARGE_REQUEST Powering Interlocks – ‘global’ interlocks Magnet Cryostat Magnet DFB Magnet … CRYO_MAINTAIN Global interlocks In addition to circuit/circuit treatment, global interlocks will provoke runtime aborts of ALL circuits in a subsector. Exchanged via hardware or between PLC-PLC x N x M AUG_OKUPS_OKQuench_propagation

15 Interlocks for Magnet Protection System15 QPS PIC PC CIRCUIT_QUENCH POWERING_FAILURE PC_PERMIT PC_FAST_ABORT DISCHARGE_REQUEST PC_DISCHARGE_REQUEST Powering Interlocks – start-up interlocks Tunnel – Hardwired signal exchange Surface – ‘Software’ signal exchange QPS SCADA PIC SCADA QPS_OK QPS_OK, CRYO_START, UPS_START, CABLE_CONNECT, CONFIG_DATA Start-up interlocks In addition to hardwired interlocks, several software interlocks exist Exchanged via CMW, DIP, etc between SCADA systems Verified ONLY upon start-up, thus not provoking aborts during powering CRYO SCADA CRYO_START

16 Interlocks for Magnet Protection System16 Interface to Beam Interlock System (1/2) ESSENTIAL ESSENTIAL + AUXILIARY PIC CIBU (ESS) CIBU (AUX) BIC USER_PERMIT_A USER_PERMIT_B BEAM_INFOUSER_PERMIT_A USER_PERMIT_B MASKABLE UNMASKABLE  Both user permits signals needed for redundancy  Removal of a single USER_PERMIT triggers a Beam Bump Request  BEAM_INFO signal for monitoring purpose  Beam dump decision taken by the BIC

17 Interlocks for Magnet Protection System17 Interface to Beam Interlock System (2/2) SIEMENS 319 CPU Max 16 Inputs / Patch Panel Max 96 Inputs / Total PROFIBUS MATRIX ESSENTIAL CIRCUITS ESSENTIAL + AUXILIARY CIRCUITS = UNMASKABLE BEAM DUMP REQUEST OF THIS PIC = MASKABLE BEAM DUMP REQUEST OF THIS PIC  XILINX XC95144 CPLD is used for redundancy and speed in beam dump request for Powering Interlock System

18 Interlocks for Magnet Protection System Mechanisms for secure configuration (1/2)  LHC Functional Layout Database as unique source of information  Configuration data required for PLCs, CPLDs and SCADA  Consistency guaranteed with strict versioning scheme and approval process before migration to new data version  Dedicated script for the generation of configuration data  Files signed with Cyclical Redundancy Check (CRC)  SCADA configuration file will contain all checksums for validation  Flexibility for Commissioning  No changes during operation without repeating all commissioning procedures!! 18

19 Interlocks for Magnet Protection System Mechanisms for secure configuration (2/2) 19 … PVSSDB PLC matrix Ethernet PROFIBUS Version PLC HW CRC PLC SW CRC Version Matrix CRC PUBLISH Version PLC HW CRC PLC SW CRC Version Matrix CRC

20 Interlocks for Magnet Protection System EMC and Radiation tests  2009 – Radiation Equipment installed in CNGS (Proton target) 2x10e13 p/cycle, 20-30Gy/week 4x8=32 CPLDs on dedicated boards Identical SW as used in the LHC devices, with remote monitoring (RS485 line drivers and PXI in control room) Labview program to change address lines and input states of CPLD Setup is constantly comparing against each other the outputs of 32 CPLDs Readout of critical path separated from monitoring part Conclusions: 3 ‘events’ in monitoring part detected NONE critical path Potential destructive latch-up of one CPLD after 75 Gy (tbc)  2004 – Radiation tests in Louvaine to validate main components (opto-couplers, AC/DC,…) 20

21 Interlocks for Magnet Protection System Powering Interlock System – Building blocks  Distributed system over the whole LHC circumference, completely installed underground to remain close to clients  36 industrial controllers SIEMENS PLC 319 (‘normal’ PLC, ie non-safety but optimized for speed - 1ms cycle time)  8000 remote I/O channels using compact (non-SIEMENS) modules with 32 I/Os each  Total of ~500 electronic cards (designed in-house)  41 km of signal cables linking systems to main clients (QPS and power converters)  Redundant power supplies throughout the system (known to be weakest link in terms of MTBF)

22 Interlocks for Magnet Protection System22 Validation testing and Operational Procedures PC_DISCHARGE_ REQUEST Power Converter PC_PERMIT PC_FAST_ABORT POWERING_FAILURE QPS CIRCUIT_QUENCH DISCHARGE_ REQUEST Profibus PLC in non-radiation area Remote I/O close to clients Ethernet Technical Network Operator Console in the Field Control Room Functionality of the PLC Program Integrity of hardwired protection signals >2300 fail safe current loops with PCs, QPS, AUG, UPS, BIC Signal mapping and SCADA functionality Supervision links in between systems Loading and transfer of configuration files

23 Interlocks for Magnet Protection System Individual System Tests and Short Circuit Tests  Individual System Tests 100% automated functional test in the lab (no HW failure yet in tunnel after 4 years of operation) Preparation and repository archiving (PIC1 and PIC2 = operation) Installation in the tunnel  Short circuit tests Interlock commissioning for 13kA circuits and participation to heat runs Interface tests with PC and QPS (to detect major cabling problems) System fully operational for all circuits during heat runs (without QPS equipment)

24 Interlocks for Magnet Protection System Interlocks Commissioning – PIC1 and PIC2  Interlocks Hardware Commissioning (PIC1 & PIC2) During the 2 main HWC ~ 6000 tests have been performed to validate to 100% the powering interlock system ~920 circuits being physically connected to the PIC depending on circuit type between 2 – 14 tests to be done) Due to >> # tests, automated tools developed for execution & validation  Only after successful completion of ALL interlock tests declared operational Sequencer to automate test executionAnalysis tools to automate test validation

25 Interlocks for Magnet Protection System Conclusions  Powering Interlock System along with its clients assures that all conditions for safe powering are met at any time  Safety critical protection on a circuit by circuit level via hardwired interlocks  Additional protection mechanisms on powering subsector level, while allowing some flexibility for installation and commissioning  Supplementary software interlocks for start-up  During commissioning ONLY, some of these start-up interlocks can be masked by the expert (but masks clearly visible)  Only after full interlock commissioning, system is considered operational  Efforts for rigorous design and testing did pay off  not a single non-conformity in interlock systems during commissioning 2009  not a single critical component failure since installation in 2006  No modifications or tampering with interlocks after this phase 25

26 Interlocks for Magnet Protection System END Thank you for your attention

27 Interlocks for Magnet Protection System Magnet 1 Power Converter Magnet 2 Status info Thermoswitches Water Flow Red button… Several thermo- switches @ 60°C Power Permit Warm magnet Interlock Controller Warm Magnet Interlock System (WIC)  Classical protection of nc magnets via thermo-swicthes, flow-meters, emergency stop buttons, etc…  Use of industrial PLCs and remote I/O modules, relatively slow system  In LHC ‚only‘ 45 circuits powering 149 magnets in LHC

28 Interlocks for Magnet Protection System28 Hardwired signals - Power Permit Loop Powering Interlock Controller GND +15,,, 24 V Power Converter ST_UNLATCHED:PWR_PERMIT Signal present: Powering permitted Signal to FALSE: Powering not permitted (latched) Powering Permit: CMD_PWR_PERM_PIC Switch closed: permission for powering Switch open: no permission for powering LHC-D-ES-0003-10-02 by R.Schmidt Cable PIC-PC

29 Interlocks for Magnet Protection System29 Hardwired signals – Circuit Quench Loop Circuit Quench ST_CIRCUIT_OK_QPS Switch closed: no quench Switch open: quench Powering Interlock Controller GND +15,,, 24 V Power Converter ST_FAULTS:FAST_ABORT Signal present: no Fast Power Abort Signal to FALSE: Fast Power Abort (latched) Signal present: no Fast Power Abort ST_ABORT_PIC Signal not present: Fast Power Abort PIC Fast Power Abort Request CMD_ABORT_PIC Switch closed: operation ok Switch open: Fast Power Abort Quench detection Energy extraction 600 A ST_FAST_POWER_ABORT Signal present: no Fast Power Abort Signal to FALSE: Fast Power Abort

Download ppt "Interlocks for Magnet Protection System Iván Romera Ramírez, Markus Zerlauth - CERN."

Similar presentations

Jan Uythoven, AB/BTLHCCWG, 3 May 2006 Page 1 450 GeV Commissioning Machine Protection Needs to be commissioned to: Prevent damage with the used, higher.

Jan Uythoven, AB/BTLHCCWG, 3 May 2006 Page GeV Commissioning Machine Protection Needs to be commissioned to: Prevent damage with the used, higher.
LHC Machine Protection

LHC Machine Protection
“LHC Controls for Sector Test” Planning SPS Extraction Kicker and Septa LHC Injection Kicker and other equipment (beam stoppers, dumps,...) Etienne CARLIER.

“LHC Controls for Sector Test” Planning SPS Extraction Kicker and Septa LHC Injection Kicker and other equipment (beam stoppers, dumps,...) Etienne CARLIER.
André Augustinus 16 June 2003 DCS Workshop Safety.

André Augustinus 16 June 2003 DCS Workshop Safety.
LHC Machine Interlocks & Beam Operation LHC Machine Interlocks & Beam Operation ARW2011Bruno PUCCIO (CERN) 13 th April 2011 1v0 Thanks to Benjamin Todd.

LHC Machine Interlocks & Beam Operation LHC Machine Interlocks & Beam Operation ARW2011Bruno PUCCIO (CERN) 13 th April v0 Thanks to Benjamin Todd.
TE / CRG / Paulo Gomes The Control System for the LHC tunnel cryogenics, p. 1 CERN Portuguese Teachers Programme, 7 Sep 2011 Dr. Paulo Gomes on behalf.

TE / CRG / Paulo Gomes The Control System for the LHC tunnel cryogenics, p. 1 CERN Portuguese Teachers Programme, 7 Sep 2011 Dr. Paulo Gomes on behalf.
PIC configuration (maskable/unmaskable circuits) I. Romera MPP meeting – 07.03.2014.

PIC configuration (maskable/unmaskable circuits) I. Romera MPP meeting –
LHC UPS Systems and Configurations: Changes during the LS1 V. Chareyre / EN-EL LHC Beam Operation Committee 11 February 2014 EDMS No. 1354977111/02/2014.

LHC UPS Systems and Configurations: Changes during the LS1 V. Chareyre / EN-EL LHC Beam Operation Committee 11 February 2014 EDMS No /02/2014.
CERN Ivan Romera MPE-Technical meeting Status on CERN-ITER collaboration for Machine Protection Acknowledgments: J.Burdalo, R.Schmidt, S.Wagner, M.Zaera.

CERN Ivan Romera MPE-Technical meeting Status on CERN-ITER collaboration for Machine Protection Acknowledgments: J.Burdalo, R.Schmidt, S.Wagner, M.Zaera.
Technical review on UPS power distribution of the LHC Beam Dumping System (LBDS) Anastasia PATSOULI TE-ABT-EC Proposals for LBDS Powering Improvement 1.

Technical review on UPS power distribution of the LHC Beam Dumping System (LBDS) Anastasia PATSOULI TE-ABT-EC Proposals for LBDS Powering Improvement 1.
TE-MPE-TM 09/08/2012, TE-MPE-MS section WIC: Overview of on-going projects + Outlook to LS1 activities: - Short introduction to WIC systems - Booster renovation.

TE-MPE-TM 09/08/2012, TE-MPE-MS section WIC: Overview of on-going projects + Outlook to LS1 activities: - Short introduction to WIC systems - Booster renovation.
The Architecture, Design and Realisation of the LHC Beam Interlock System Machine Protection Review – 12 th April 2005.

The Architecture, Design and Realisation of the LHC Beam Interlock System Machine Protection Review – 12 th April 2005.
CRYOGENICS AND POWERING

CRYOGENICS AND POWERING
1 Copper Stabilizer Continuity Measurement Project CSCM Mini Review Powering Implementation H. Thiesen 30 November 2011.

1 Copper Stabilizer Continuity Measurement Project CSCM Mini Review Powering Implementation H. Thiesen 30 November 2011.
Powering Group of Circuit Doubts and proposals of the procedure reviewing team (Gianluigi, Rob, Sandrine, Matteo, Boris) Ref document: LHC-MPP-HCP-071.

Powering Group of Circuit Doubts and proposals of the procedure reviewing team (Gianluigi, Rob, Sandrine, Matteo, Boris) Ref document: LHC-MPP-HCP-071.
ITER – Interlocks Luis Fernandez December 2014 Central Interlock System CIS v0.

ITER – Interlocks Luis Fernandez December 2014 Central Interlock System CIS v0.
Operational tools Laurette Ponce BE-OP 1. 2 Powering tests and Safety 23 July 2009  After the 19 th September, a re-enforcement of access control during.

Operational tools Laurette Ponce BE-OP 1. 2 Powering tests and Safety 23 July 2009  After the 19 th September, a re-enforcement of access control during.
TE-MPE-EP, RD, 06-Dec-2013 1 QPS Data Transmission after LS1 R. Denz, TE-MPE-EP TIMBER PM WinCC OA Tsunami warning: https://cds.cern.ch/record/1424362.

TE-MPE-EP, RD, 06-Dec QPS Data Transmission after LS1 R. Denz, TE-MPE-EP TIMBER PM WinCC OA Tsunami warning:
Chamonix 20091 Risks due to UPS malfunctioning Impact on the Superconducting Circuit Protection System Hugues Thiesen Acknowledgments:K. Dahlerup-Petersen,

Chamonix Risks due to UPS malfunctioning Impact on the Superconducting Circuit Protection System Hugues Thiesen Acknowledgments:K. Dahlerup-Petersen,
1 Second LHC Splice Review Copper Stabilizer Continuity Measurement possible QC tool for consolidated splices H. Thiesen 28 November 2011 K. Brodzinski,

1 Second LHC Splice Review Copper Stabilizer Continuity Measurement possible QC tool for consolidated splices H. Thiesen 28 November 2011 K. Brodzinski,

Similar presentations

Ads by Google