Title: Interlocks for Magnet Protection System
1Interlocks for Magnet Protection System
- Iván Romera RamÃrez, Markus Zerlauth - CERN
2Outline
- Aim of magnet protection
- From the design phase until LHC implementation
- Details of the design
- Validation testing and operational procedures
- Conclusions
3Magnet powering for superconducting and normal
conducting magnets
- Machine protection of the LHC starts already
with its pre-injectors and the transfer lines - Magnet powering and interlock systems in the
SPS, transfer lines and the LHC are more or less
identical
40 electrical circuits with 150 nc magnets in
the LHC
25 electrical circuits with 800 nc magnets in
SPS extractions lines CNGS
1600 electrical circuits with 10 000 sc
magnets in the LHC
4 Magnet Protection and Powering Interlock System
- LHC is CERNs first (mostly) superconducting
machine (gt10.000 sc magnets powered in 1700
circuits/ 148 nc magnets powered in 48 circuits)
- Magnet powering system will account for a
considerable fraction of beam dump requests due
to (e.g. beam induced) magnet quenches, power
converter failures, mains failures, etc.. - Due to its complexity and the requirement of
flexibility (not all powering failures require
beam dumps), the powering interlock systems are
separated from the beam interlock system - Due to large stored energies in magnet powering
(and other reasons such as max Voltage during
energy extraction, easier commissioning, etc),
the LHC powering has been divided into 8 sectors
and 28 powering subsectors - Disadvantage is larger equipment inventory, need
for tracking between sectors, etc - Other than in CERNs pre-accelerators,
interlocking is not done by direct magnet
protection power converter links but through
dedicated powering interlock system (mainly due
to complexity and for additional flexibility and
diagnostic purposes)
5Protection mechanisms for superconducting
magnets / circuits
Network, UTC, Logging
Power Permit
Internal failures / Ground Fault
Beam Dump
Cooling Failures
AUG, UPS, Mains Failures
Power Converter
Normal conducting cables
Powering Interlock Controller
Superconducting Diode
Energy Extraction
Quench- Heater
QPS
HTS Current Leads
Quench Signal
Magnet 1
Magnet 2
sc busbar
DFB
6 PIC Project History
Radiation tests Additional tests of CPLD in
CNGS
Commissioning First commissioning
Continued
LHC Series Fabrication
Testing Radiation, EMC and FMECA
Pre Series Fabrication
LHC Design Main design choices
Adjustments
Specification 1st version of Detailed
interfaces between main clients
Specification 1st version of Architecture of
the Beam and Powering Interlock System
String 2 First prototype operation
7Details of the design
- Interlocks for magnet protection are designed
following the basic MP principles - FAILSAFE System must be safe by design (stop
operation if system doesnt work) - REDUNDANT All critical paths are redundant
- CRITICAL ACTIONS BY HARDWARE No software
involved on critical path - DEPENDABLE SYSTEM Safety/Availability/Reliability
- MASKING Only possible if safety is not
compromised (useful for commissioning)
8Powering Interlock System for sc magnets (PIC)
Powering Interlock System for sc magnets (PIC)
- Powering Interlock System is assuring correct
powering conditions for sc magnet circuits during
all operation operational phases - Interfaces with Quench Protection and LHC Power
Converters (several 1000s of channels each) and
technical infrastructure (UPS, AUG, Cryogenics,
Controls) - Distributed system, installation close to main
clients calls for EMC and radiation tolerant
design - Handling very large stored energies (GJ), system
must be fast and reliable - Represents 25 of user inputs to the Beam
Interlock System, thus calls for dependable
design
9Main functionalities requirements
- Powering Interlock System (PIC) assures that all
conditions for safe magnet powering are met - Upon Start-up
- During operation
- Protection on a circuit by circuit basis
- Additional protection mechanisms on a powering
subsector basis - Linking magnet powering to technical services
safety systems (UPS, AUG, Cryogenics) - Linking magnet powering to Beam Interlock System
- Provide the evidence of powering failures to
operations
10Conditions for powering
Cryogenics Magnet and current leads must be at
correct temperature
Power converter must be ready (including cooling
water etc.)
Quench protection system must be ready (quench
heaters charged, extraction switch closed)
Safety systems must be ready (AUG arret
urgence general, UPS uninterruptible power
supplies, )
Power converters
Operator / Controls must give permission to power
Powering Interlock Controller (PIC)
Energy extraction
Quench in a magnet inside the electrical circuit
Warming up of the magnet due to failure in the
cryogenic system
Warming up of the magnet due to quench in an
adjacent magnet
AUG or UPS fault
Power converter failure
11Architecture
- 28 powering subsectors, each managing between
5-48 circuits - 36 Powering Interlock Controllers (2 for long
arcs)
12Powering Interlocks the circuit level
Cryostat
Magnet
Magnet
PC_PERMIT
QPS
PC
PC_FAST_ABORT
CIRCUIT_QUENCH
POWERING_FAILURE
PC_DISCHARGE_REQUEST
DISCHARGE_REQUEST
- All conditions met for powering PC_PERMIT
- Sum of internal converter faults
POWERING_FAILURE - Magnet quench or Fast Abort from PIC
PC_FAST_ABORT - Loss of coolant PC_DISCHARGE_REQUEST
- No direct connection Magnet Protection
Converters, but use of industrial controllers
(PLCs) - Protection signals are exchanged via hardwired
current loops - Depending on stored energy, circuit complexity,
QPS, etc.. in between 2-4 signals are exchanged /
circuit
13Interlock Types
PC_PERMIT
QPS
PIC
PC
Interlock Type A (13kA main IT)
CIRCUIT_QUENCH
PC_FAST_ABORT
POWERING_FAILURE
PC_DISCHARGE_REQUEST
DISCHARGE_REQUEST
PC_PERMIT_B1
PC
PC_PERMIT_B2
QPS
PIC
PC
Interlock Type B2 (all quads of IPQD)
PC_FAST_ABORT
CIRCUIT_QUENCH
POWERING_FAILURE
PC_PERMIT
QPS
PIC
PC
Interlock Type B1 (600A EE, 600A no EE, 600A no
EE crowbar all dipoles of IPQD)
PC_FAST_ABORT
CIRCUIT_QUENCH
POWERING_FAILURE
PC_PERMIT
PIC
PC
Interlock Type C ( 80-120A)
POWERING_FAILURE
14Powering Interlocks global interlocks
Cryostat
Magnet
Magnet
PC
QPS
PC
QPS
PC_PERMIT
QPS
1 PIC
PC
PC_FAST_ABORT
CIRCUIT_QUENCH
x M
x N
POWERING_FAILURE
PC_DISCHARGE_REQUEST
DISCHARGE_REQUEST
- Global interlocks
- In addition to circuit/circuit treatment, global
interlocks will provoke runtime aborts of ALL
circuits in a subsector. Exchanged via hardware
or between PLC-PLC
AUG_OK
UPS_OK
Quench_propagation
15Powering Interlocks start-up interlocks
QPS_OK
CRYO_START
CRYO SCADA
QPS SCADA
PIC SCADA
Surface Software signal exchange
Tunnel Hardwired signal exchange
PC_PERMIT
QPS
PIC
PC
PC_FAST_ABORT
CIRCUIT_QUENCH
POWERING_FAILURE
PC_DISCHARGE_REQUEST
DISCHARGE_REQUEST
- Start-up interlocks
- In addition to hardwired interlocks, several
software interlocks exist - Exchanged via CMW, DIP, etc between SCADA systems
- Verified ONLY upon start-up, thus not provoking
aborts during powering
- QPS_OK, CRYO_START, UPS_START, CABLE_CONNECT,
CONFIG_DATA
16Interface to Beam Interlock System (1/2)
PIC
USER_PERMIT_B
USER_PERMIT_A
BEAM_INFO
USER_PERMIT_A
USER_PERMIT_B
MASKABLE
ESSENTIAL AUXILIARY
UNMASKABLE
ESSENTIAL
CIBU (ESS)
CIBU (AUX)
BIC
- Both user permits signals needed for redundancy
- Removal of a single USER_PERMIT triggers a Beam
Bump Request - BEAM_INFO signal for monitoring purpose
- Beam dump decision taken by the BIC
17Interface to Beam Interlock System (2/2)
SIEMENS 319 CPU
Max 16 Inputs / Patch Panel Max 96 Inputs / Total
PROFIBUS
MATRIX
ESSENTIAL AUXILIARY CIRCUITS
ESSENTIAL CIRCUITS
UNMASKABLE BEAM DUMP REQUEST OF THIS PIC
MASKABLE BEAM DUMP REQUEST OF THIS PIC
- XILINX XC95144 CPLD is used for redundancy and
speed in beam dump request for Powering Interlock
System
18Mechanisms for secure configuration (1/2)
- LHC Functional Layout Database as unique source
of information - Configuration data required for PLCs, CPLDs and
SCADA - Consistency guaranteed with strict versioning
scheme and approval process before migration to
new data version - Dedicated script for the generation of
- configuration data
- Files signed with Cyclical Redundancy
- Check (CRC)
- SCADA configuration file will
- contain all checksums for validation
- Flexibility for Commissioning
- No changes during operation without
- repeating all commissioning procedures!!
19Mechanisms for secure configuration (2/2)
PVSS
DB
Version PLC HW CRC PLC SW CRC Version Matrix CRC
Ethernet
PLC
PLC
PLC
Version PLC HW CRC PLC SW CRC
PUBLISH
PROFIBUS
PROFIBUS
PROFIBUS
matrix
matrix
matrix
Version Matrix CRC
20EMC and Radiation tests
- 2009 Radiation Equipment installed in CNGS
(Proton target) - 2x10e13 p/cycle, 20-30Gy/week
- 4x832 CPLDs on dedicated boards
- Identical SW as used in the LHC devices, with
remote - monitoring (RS485 line drivers and PXI in control
room) - Labview program to change address lines and
input - states of CPLD
- Setup is constantly comparing against each other
the - outputs of 32 CPLDs
- Readout of critical path separated from
monitoring part - Conclusions
- 3 events in monitoring part detected
- NONE critical path
- Potential destructive latch-up of one CPLD
- after 75 Gy (tbc)
- 2004 Radiation tests in Louvaine to validate
- main components (opto-couplers, AC/DC,)
21 Powering Interlock System Building blocks
- Distributed system over the whole LHC
circumference, completely installed underground
to remain close to clients - 36 industrial controllers SIEMENS PLC 319
(normal PLC, ie non-safety but optimized for
speed - 1ms cycle time) - 8000 remote I/O channels using compact
(non-SIEMENS) modules with 32 I/Os each - Total of 500 electronic cards (designed
in-house) - 41 km of signal cables linking systems to main
clients (QPS and power converters) - Redundant power supplies throughout the system
(known to be weakest link in terms of MTBF)
22Validation testing and Operational Procedures
Operator Console in the Field Control Room
- Signal mapping and SCADA functionality
- Supervision links in between systems
- Loading and transfer of configuration files
Ethernet Technical Network
PLC in non-radiation area
- Functionality of the PLC Program
- Integrity of hardwired protection signals
- gt2300 fail safe current loops with PCs,
QPS, AUG, UPS, BIC
Profibus
Remote I/O close to clients
PC_PERMIT
Power Converter
QPS
CIRCUIT_QUENCH
PC_FAST_ABORT
POWERING_FAILURE
DISCHARGE_ REQUEST
PC_DISCHARGE_ REQUEST
23Individual System Tests and Short Circuit Tests
- Individual System Tests
- 100 automated functional test in the lab
- (no HW failure yet in tunnel after 4 years of
operation) - Preparation and repository archiving (PIC1 and
- PIC2 operation)
- Installation in the tunnel
- Short circuit tests
- Interlock commissioning for 13kA circuits and
participation to heat runs - Interface tests with PC and QPS (to detect major
cabling problems) - System fully operational for all circuits during
heat runs (without QPS equipment)
24Interlocks Commissioning PIC1 and PIC2
- Interlocks Hardware Commissioning (PIC1 PIC2)
- During the 2 main HWC 6000 tests have been
performed to validate to 100 the powering
interlock system - 920 circuits being physically connected to the
PIC - depending on circuit type between 2 14 tests to
be done) - Due to gtgt tests, automated tools developed for
execution validation - Only after successful completion of ALL interlock
tests declared operational
Sequencer to automate test execution
Analysis tools to automate test validation
25Conclusions
- Powering Interlock System along with its clients
assures that all conditions for safe powering are
met at any time - Safety critical protection on a circuit by
circuit level via hardwired interlocks - Additional protection mechanisms on powering
subsector level, while allowing some flexibility
for installation and commissioning - Supplementary software interlocks for start-up
- During commissioning ONLY, some of these start-up
interlocks can be masked by the expert (but masks
clearly visible) - Only after full interlock commissioning, system
is considered operational - Efforts for rigorous design and testing did pay
off - not a single non-conformity in interlock systems
during commissioning 2009 - not a single critical component failure since
installation in 2006 - No modifications or tampering with interlocks
after this phase
26END
- Thank you for your attention
27Warm Magnet Interlock System (WIC)
- Classical protection of nc magnets via
thermo-swicthes, flow-meters, emergency stop
buttons, etc - Use of industrial PLCs and remote I/O modules,
relatively slow system - In LHC only 45 circuits powering 149 magnets in
LHC
Power Converter
Status info
Warm magnet Interlock Controller
Power Permit
Thermoswitches Water Flow Red button
Several thermo-switches _at_ 60C
Magnet 1
Magnet 2
28Hardwired signals - Power Permit Loop
15 ,,, 24 V
Cable PIC-PC
Powering Permit CMD_PWR_PERM_PIC Switch closed
permission for powering Switch open no
permission for powering
ST_UNLATCHEDPWR_PERMIT Signal present Powering
permitted Signal to FALSE Powering not permitted
(latched)
GND
Power Converter
Powering Interlock Controller
LHC-D-ES-0003-10-02
by R.Schmidt
29Hardwired signals Circuit Quench Loop