Add to collection(s) Add to saved
  1. Science
  2. Physics
  3. Electricity And Magnetism
  4. Superconductivity

Interlocks for Magnet Protection System

advertisement 
Interlocks for Magnet Protection System
Iván Romera Ramírez, Markus Zerlauth - CERN
Interlocks for Magnet Protection System
Outline
 Aim of magnet protection
 From the design phase until LHC implementation
 Details of the design
 Validation testing and operational procedures
 Conclusions
Interlocks for Magnet Protection System
2
Magnet powering for superconducting and normal conducting magnets
 Machine protection of the LHC starts already with its pre-injectors and the
transfer lines
 Magnet powering and interlock systems in the SPS, transfer lines and the LHC are
more or less identical
~ 40 electrical circuits
with 150 nc magnets
in the LHC
~ 25 electrical circuits with
800 nc magnets
in SPS extractions lines &
CNGS
~1600 electrical circuits
with 10 000 sc magnets
in the LHC
Interlocks for Magnet Protection System
Magnet Protection and Powering Interlock System
LHC is CERNs first (mostly) superconducting machine (>10.000 sc magnets powered in
1700 circuits/ 148 nc magnets powered in 48 circuits)
Magnet powering system will account for a considerable fraction of beam dump
requests due to (e.g. beam induced) magnet quenches, power converter failures, mains
failures, etc..
 Due to its complexity and the requirement of flexibility (not all powering failures
require beam dumps), the powering interlock systems are separated from the beam
interlock system
Due to large stored energies in magnet powering (and other reasons such as max
Voltage during energy extraction, easier commissioning, etc…), the LHC powering has
been divided into 8 sectors and 28 powering subsectors
Disadvantage is larger equipment inventory, need for tracking between sectors,
etc…
Other than in CERNs pre-accelerators, interlocking is not done by direct magnet
protection – power converter links but through dedicated powering interlock system
(mainly due to complexity and for additional flexibility and diagnostic purposes)
Interlocks for Magnet Protection System
Protection mechanisms for superconducting
magnets / circuits
Network, UTC, Logging
Power Permit
Internal failures / Ground Fault
Beam Dump
Cooling Failures
AUG, UPS, Mains Failures
Superconducting
Diode
Powering
Interlock
Controller
QuenchHeater
Magnet 1
Normal conducting
cables
Energy Extraction
QPS
Quench Signal
sc busbar
Power Converter
HTS
Current Leads
Magnet 2
DFB
Interlocks for Magnet Protection System
PIC Project History
Radiation tests –
Additional tests of CPLD in CNGS
Commissioning –
First commissioning
LHC Series –
Fabrication
Testing – Radiation,
EMC and FMECA
Pre Series –
Fabrication
LHC Design –
Main design choices
Adjustments
Specification – 1st version of
Detailed interfaces between main clients
Specification – 1st version of
Architecture of the Beam and Powering Interlock System
String 2 –
First prototype operation
Interlocks for Magnet Protection System
Continued…
Details of the design
 Interlocks for magnet protection are designed following the basic MP principles
 FAILSAFE: System must be safe by design (stop operation if system doesn’t work)
 REDUNDANT: All critical paths are redundant
 CRITICAL ACTIONS BY HARDWARE: No software involved on critical path
 DEPENDABLE SYSTEM: Safety/Availability/Reliability
 MASKING: Only possible if safety is not compromised (useful for commissioning)
Interlocks for Magnet Protection System
7
Powering
System
PoweringInterlock
Interlock
Systemforforscscmagnets
magnets(PIC)
(PIC)
 Powering Interlock System is assuring
correct powering conditions for sc magnet
circuits during all operation operational phases
 Interfaces with Quench Protection and LHC
Power Converters (several 1000s of channels
each) and technical infrastructure (UPS, AUG,
Cryogenics, Controls)
 Distributed system, installation close to
main clients calls for EMC and radiation
tolerant design
 Handling very large stored energies (GJ),
system must be fast and reliable
 Represents 25 % of user inputs to the Beam
Interlock System, thus calls for dependable
design
Interlocks for Magnet Protection System
8
Main functionalities & requirements
 Powering Interlock System (PIC) assures that all conditions for safe
magnet powering are met:
 Upon Start-up
 During operation
 Protection on a circuit by circuit basis
 Additional protection mechanisms on a powering subsector basis
 Linking magnet powering to technical services & safety systems (UPS,
AUG, Cryogenics)
 Linking magnet powering to Beam Interlock System
 Provide the evidence of powering failures to operations
Interlocks for Magnet Protection System
9
Conditions for powering
Cryogenics: Magnet
and current leads
must be at correct
temperature
Operator / Controls:
must give permission to
power
Warming up of the
magnet due to failure
in the cryogenic
system
Safety systems: must
be ready (AUG – arret
urgence general, UPS
– uninterruptible power
supplies, …)
Power
converter: must
be ready
(including cooling
water etc.)
Quench protection
system: must be
ready (quench
heaters charged,
extraction switch
closed)
Power
converters
Powering Interlock
Controller (PIC)
Energy
extraction
Warming up of the
magnet due to
quench in an
adjacent magnet
AUG or
UPS fault
Power
converter
failure
Interlocks for Magnet Protection System
Quench in a
magnet inside
the electrical
circuit
10
Architecture
•
28 powering subsectors, each
managing between 5-48 circuits
•
36 Powering Interlock Controllers
(2 for long arcs)
Interlocks for Magnet Protection System
11
Powering Interlocks – the circuit level
Cryostat
Magnet
DFB
Magnet
Magnet
…
PC_PERMIT
QPS
CIRCUIT_QUENCH
PIC
PC_FAST_ABORT
POWERING_FAILURE
DISCHARGE_REQUEST
PC
PC_DISCHARGE_REQUEST
All conditions
met forMagnet
powering:
PC_PERMIT
 No
direct connection
Protection
– Converters, but use of industrial
(PLCs)
 controllers
Sum of internal
converter faults: POWERING_FAILURE




Protection
signalsorare
viaPIC:
hardwired
current loops
Magnet quench
Fastexchanged
Abort from
PC_FAST_ABORT
Depending
on stored
energy, circuit complexity, QPS, etc.. in between 2-4
Loss of coolant:
PC_DISCHARGE_REQUEST
signals are exchanged / circuit
Interlocks for Magnet Protection System
12
Interlock Types
PC_PERMIT
Interlock
Type A
CIRCUIT_QUENCH
QPS
(=13kA main + IT)
PIC
PC_FAST_ABORT
POWERING_FAILURE
PC
PC_DISCHARGE_REQUEST
DISCHARGE_REQUEST
PC_PERMIT_B1
Interlock
Type B2
(=all quads of IPQD)
PC_PERMIT_B2
QPS
CIRCUIT_QUENCH
PIC
PC_FAST_ABORT
POWERING_FAILURE
PC
PC
PC_PERMIT
Interlock Type
B1
QPS
CIRCUIT_QUENCH
PC_FAST_ABORT
PIC
POWERING_FAILURE
PC
(=600A EE, 600A no EE,
600A no EE crowbar + all
dipoles of IPQD)
PC_PERMIT
Interlock
Type C
PIC
POWERING_FAILURE
PC
(= 80-120A)
Interlocks for Magnet Protection System
13
Powering Interlocks – ‘global’ interlocks
Cryostat
Magnet
Magnet
DFB
Magnet
…
QPS
QPS
QPS
xM
PC_PERMIT
CIRCUIT_QUENCH
1 PIC
PC_FAST_ABORT
POWERING_FAILURE
DISCHARGE_REQUEST
PC
PC
PC
xN
PC_DISCHARGE_REQUEST
Global interlocks
•
In addition to circuit/circuit treatment, global interlocks will provoke runtime aborts
of ALL circuits in a subsector. Exchanged via hardware or between PLC-PLC
CRYO_MAINTAIN
AUG_OK
UPS_OK
Interlocks for Magnet Protection System
Quench_propagation
14
Powering Interlocks – start-up interlocks
QPS_OK
QPS SCADA
CRYO_START
CRYO SCADA
PIC SCADA
Surface – ‘Software’ signal exchange
Tunnel – Hardwired signal exchange
PC_PERMIT
QPS
CIRCUIT_QUENCH
PIC
PC_FAST_ABORT
POWERING_FAILURE
DISCHARGE_REQUEST
PC
PC_DISCHARGE_REQUEST
Start-up interlocks
•
In addition to hardwired interlocks, several software interlocks exist
•
Exchanged via CMW, DIP, etc between SCADA systems
•
Verified ONLY upon start-up, thus not provoking aborts during powering
QPS_OK, CRYO_START, UPS_START, CABLE_CONNECT, CONFIG_DATA
Interlocks for Magnet Protection System
15
Interface to Beam Interlock System (1/2)
PIC
MASKABLE
USER_PERMIT_A
BEAM_INFO
USER_PERMIT_B
USER_PERMIT_A
UNMASKABLE
CIBU (ESS)
USER_PERMIT_B
ESSENTIAL + AUXILIARY
ESSENTIAL
CIBU (AUX)
BIC
 Both user permits signals needed for redundancy
 Removal of a single USER_PERMIT triggers a Beam Bump Request
 BEAM_INFO signal for monitoring purpose
 Beam dump decision taken by the BIC
Interlocks for Magnet Protection System
16
Interface to Beam Interlock System (2/2)
SIEMENS 319 CPU
Max 16 Inputs / Patch Panel
Max 96 Inputs / Total
PROFIBUS
MATRIX
ESSENTIAL CIRCUITS
=
UNMASKABLE BEAM
DUMP REQUEST
OF THIS PIC

ESSENTIAL + AUXILIARY CIRCUITS
=
MASKABLE BEAM
DUMP REQUEST
OF THIS PIC
XILINX XC95144 CPLD is used for redundancy and speed in beam dump request for
Powering Interlock System
Interlocks for Magnet Protection System
17
Mechanisms for secure configuration (1/2)
 LHC Functional Layout Database as unique source of information
 Configuration data required for PLCs, CPLDs and SCADA
 Consistency guaranteed with strict versioning scheme and approval
process before migration to new data version
 Dedicated script for the generation of
configuration data
 Files signed with Cyclical Redundancy
Check (CRC)
 SCADA configuration file will
contain all checksums for validation
 Flexibility for Commissioning
 No changes during operation without
repeating all commissioning procedures!!
Interlocks for Magnet Protection System
18
Mechanisms for secure configuration (2/2)
PVSS
Version
DB
PLC HW CRC
PLC SW CRC
Version
Matrix CRC
Ethernet
PLC
PLC
PLC
Version
PLC HW CRC
PLC SW CRC
PROFIBUS
PROFIBUS
matrix
PUBLISH
…
matrix
PROFIBUS
matrix
Version
Matrix CRC
Interlocks for Magnet Protection System
19
EMC and Radiation tests
 2009 – Radiation Equipment installed in CNGS (Proton target)
 2x10e13 p/cycle, 20-30Gy/week
 4x8=32 CPLDs on dedicated boards
 Identical SW as used in the LHC devices, with remote
monitoring (RS485 line drivers and PXI in control room)
 Labview program to change address lines and input
states of CPLD
 Setup is constantly comparing against each other the
outputs of 32 CPLDs
 Readout of critical path separated from monitoring part
 Conclusions:
• 3 ‘events’ in monitoring part detected
• NONE critical path
• Potential destructive latch-up of one CPLD
after 75 Gy (tbc)
 2004 – Radiation tests in Louvaine to validate
main components (opto-couplers, AC/DC,…)
Interlocks for Magnet Protection System
20
Powering Interlock System – Building blocks
 Distributed system over the whole LHC
circumference, completely installed
underground to remain close to clients
 36 industrial controllers SIEMENS PLC 319
(‘normal’ PLC, ie non-safety but optimized
for speed - 1ms cycle time)
 8000 remote I/O channels using compact
(non-SIEMENS) modules with 32 I/Os each
 Total of ~500 electronic cards (designed
in-house)
 41 km of signal cables linking systems to
main clients (QPS and power converters)
 Redundant power supplies throughout the
system (known to be weakest link in terms
of MTBF)
Interlocks for Magnet Protection System
Validation testing and Operational Procedures
Operator Console
in the Field Control Room
 Signal mapping and SCADA functionality
 Supervision links in between systems
 Loading and transfer of configuration
files
Ethernet
Technical Network
PLC in non-radiation area
 Functionality of the PLC Program
Profibus
 Integrity of hardwired protection signals
Remote I/O close to clients
>2300 fail safe current loops with PCs,
QPS, AUG, UPS, BIC
PC_PERMIT
CIRCUIT_QUENCH
QPS
PC_FAST_ABORT
POWERING_FAILURE
DISCHARGE_
REQUEST
Power
Converter
PC_DISCHARGE_
REQUEST
Interlocks for Magnet Protection System
22
Individual System Tests and Short Circuit Tests
 Individual System Tests
 100% automated functional test in the lab
(no HW failure yet in tunnel after 4 years of operation)
 Preparation and repository archiving (PIC1 and
PIC2 = operation)
 Installation in the tunnel
 Short circuit tests
 Interlock commissioning for 13kA circuits and participation to heat
runs
 Interface tests with PC and QPS (to detect major cabling problems)
 System fully operational for all circuits during heat runs (without QPS
equipment)
Interlocks for Magnet Protection System
Interlocks Commissioning – PIC1 and PIC2
 Interlocks Hardware Commissioning (PIC1 & PIC2)
 During the 2 main HWC ~ 6000 tests have been performed to validate to
100% the powering interlock system
 ~920 circuits being physically connected to the PIC
 depending on circuit type between 2 – 14 tests to be done)
 Due to >> # tests, automated tools developed for execution & validation
Sequencer to automate test execution
Analysis tools to automate test validation
 Only after successful completion of ALL interlock tests declared operational
Interlocks for Magnet Protection System
Conclusions
 Powering Interlock System along with its clients assures that all conditions for
safe powering are met at any time
 Safety critical protection on a circuit by circuit level via hardwired interlocks
 Additional protection mechanisms on powering subsector level, while allowing
some flexibility for installation and commissioning
 Supplementary software interlocks for start-up
 During commissioning ONLY, some of these start-up interlocks can be masked
by the expert (but masks clearly visible)
 Only after full interlock commissioning, system is considered operational
 Efforts for rigorous design and testing did pay off

not a single non-conformity in interlock systems during commissioning 2009

not a single critical component failure since installation in 2006
 No modifications or tampering with interlocks after this phase
Interlocks for Magnet Protection System
25
END
Thank you for your attention
Interlocks for Magnet Protection System
Warm Magnet Interlock System (WIC)
 Classical protection of nc magnets via thermo-swicthes, flow-meters,
emergency stop buttons, etc…
 Use of industrial PLCs and remote I/O modules, relatively slow system
 In LHC ‚only‘ 45 circuits powering 149 magnets in LHC
Power Converter
Warm magnet
Interlock
Controller
Status info
Power Permit
Several thermoswitches @ 60°C
Thermoswitches
Water Flow
Red button…
Magnet
1
Magnet 2
Interlocks for Magnet Protection System
Hardwired signals - Power Permit Loop
+15 ,,, 24 V
Cable PIC-PC
Powering Permit:
CMD_PWR_PERM_PIC
Switch closed: permission
for powering
Switch open: no
permission for powering
ST_UNLATCHED:PWR_PERMIT
GND
Powering Interlock Controller
Signal present: Powering
permitted
Signal to FALSE: Powering
not permitted (latched)
Power Converter
by R.Schmidt
LHC-D-ES-0003-10-02
Interlocks for Magnet Protection System
28
Hardwired signals – Circuit Quench Loop
Circuit Quench
ST_CIRCUIT_OK_QPS
Switch closed: no quench
Switch open: quench
+15 ,,, 24 V
Quench
detection
Energy extraction
600 A
Signal present: no Fast
Power Abort
ST_ABORT_PIC
ST_FAST_POWER_ABORT
Signal not present: Fast
Power Abort
Signal present: no Fast
Power Abort
Signal to FALSE: Fast
Power Abort
ST_FAULTS:FAST_ABORT
PIC Fast Power Abort Request
CMD_ABORT_PIC
Switch closed: operation ok
Switch open: Fast Power Abort
Signal present: no Fast
Power Abort
Signal to FALSE: Fast
Power Abort (latched)
GND
Powering Interlock Controller
Power Converter
Interlocks for Magnet Protection System
29
Related documents
Electricity & Magnetism by Mr. Reece Answer the following
Electricity & Magnetism by Mr. Reece Answer the following
Writing Your Own Magnet Grant
Writing Your Own Magnet Grant
School Leadership Teams - Magnet Schools of America
School Leadership Teams - Magnet Schools of America
Preparing for the Engagement Survey
Preparing for the Engagement Survey
overview FRESCA activities
overview FRESCA activities
OPEN HOUSE - Cooperative Educational Services
OPEN HOUSE - Cooperative Educational Services
Unit IIA Electricity and Magnetism
Unit IIA Electricity and Magnetism
Awards Ceremony May 3, 2014 CT Poster Competition
Awards Ceremony May 3, 2014 CT Poster Competition
Magnet Open House Presentation Oct Nov 2014
Magnet Open House Presentation Oct Nov 2014
Magnet Summaries
Magnet Summaries
Download
advertisement