Interlocks for Magnet Protection System

1
Interlocks for Magnet Protection System

• Iván Romera Ramírez, Markus Zerlauth - CERN

2
Outline

• Aim of magnet protection
• From the design phase until LHC implementation
• Details of the design
• Validation testing and operational procedures
• Conclusions

3
Magnet powering for superconducting and normal
conducting magnets

• Machine protection of the LHC starts already
  with its pre-injectors and the transfer lines
• Magnet powering and interlock systems in the
  SPS, transfer lines and the LHC are more or less
  identical

40 electrical circuits with 150 nc magnets in
the LHC
25 electrical circuits with 800 nc magnets in
SPS extractions lines CNGS
1600 electrical circuits with 10 000 sc
magnets in the LHC
4

Magnet Protection and Powering Interlock System

• LHC is CERNs first (mostly) superconducting
  machine (gt10.000 sc magnets powered in 1700
  circuits/ 148 nc magnets powered in 48 circuits)
  
• Magnet powering system will account for a
  considerable fraction of beam dump requests due
  to (e.g. beam induced) magnet quenches, power
  converter failures, mains failures, etc..
• Due to its complexity and the requirement of
  flexibility (not all powering failures require
  beam dumps), the powering interlock systems are
  separated from the beam interlock system
• Due to large stored energies in magnet powering
  (and other reasons such as max Voltage during
  energy extraction, easier commissioning, etc),
  the LHC powering has been divided into 8 sectors
  and 28 powering subsectors
• Disadvantage is larger equipment inventory, need
  for tracking between sectors, etc
• Other than in CERNs pre-accelerators,
  interlocking is not done by direct magnet
  protection power converter links but through
  dedicated powering interlock system (mainly due
  to complexity and for additional flexibility and
  diagnostic purposes)

5
Protection mechanisms for superconducting
magnets / circuits
Network, UTC, Logging
Power Permit
Internal failures / Ground Fault
Beam Dump
Cooling Failures
AUG, UPS, Mains Failures
Power Converter
Normal conducting cables
Powering Interlock Controller
Superconducting Diode
Energy Extraction
Quench- Heater
QPS
HTS Current Leads
Quench Signal
Magnet 1
Magnet 2
sc busbar
DFB
6

PIC Project History
Radiation tests Additional tests of CPLD in
CNGS
Commissioning First commissioning
Continued
LHC Series Fabrication
Testing Radiation, EMC and FMECA
Pre Series Fabrication
LHC Design Main design choices
Adjustments
Specification 1st version of Detailed
interfaces between main clients
Specification 1st version of Architecture of
the Beam and Powering Interlock System
String 2 First prototype operation
7
Details of the design

• Interlocks for magnet protection are designed
  following the basic MP principles
• FAILSAFE System must be safe by design (stop
  operation if system doesnt work)
• REDUNDANT All critical paths are redundant
• CRITICAL ACTIONS BY HARDWARE No software
  involved on critical path
• DEPENDABLE SYSTEM Safety/Availability/Reliability
  
• MASKING Only possible if safety is not
  compromised (useful for commissioning)

8
Powering Interlock System for sc magnets (PIC)

Powering Interlock System for sc magnets (PIC)

• Powering Interlock System is assuring correct
  powering conditions for sc magnet circuits during
  all operation operational phases
• Interfaces with Quench Protection and LHC Power
  Converters (several 1000s of channels each) and
  technical infrastructure (UPS, AUG, Cryogenics,
  Controls)
• Distributed system, installation close to main
  clients calls for EMC and radiation tolerant
  design
• Handling very large stored energies (GJ), system
  must be fast and reliable
• Represents 25 of user inputs to the Beam
  Interlock System, thus calls for dependable
  design

9
Main functionalities requirements

• Powering Interlock System (PIC) assures that all
  conditions for safe magnet powering are met
• Upon Start-up
• During operation
• Protection on a circuit by circuit basis
• Additional protection mechanisms on a powering
  subsector basis
• Linking magnet powering to technical services
  safety systems (UPS, AUG, Cryogenics)
• Linking magnet powering to Beam Interlock System
• Provide the evidence of powering failures to
  operations

10
Conditions for powering
Cryogenics Magnet and current leads must be at
correct temperature
Power converter must be ready (including cooling
water etc.)
Quench protection system must be ready (quench
heaters charged, extraction switch closed)
Safety systems must be ready (AUG arret
urgence general, UPS uninterruptible power
supplies, )
Power converters
Operator / Controls must give permission to power
Powering Interlock Controller (PIC)
Energy extraction
Quench in a magnet inside the electrical circuit
Warming up of the magnet due to failure in the
cryogenic system
Warming up of the magnet due to quench in an
adjacent magnet
AUG or UPS fault
Power converter failure
11
Architecture

• 28 powering subsectors, each managing between
  5-48 circuits
• 36 Powering Interlock Controllers (2 for long
  arcs)

12
Powering Interlocks the circuit level
Cryostat
Magnet
Magnet

PC_PERMIT
QPS
PC
PC_FAST_ABORT
CIRCUIT_QUENCH
POWERING_FAILURE
PC_DISCHARGE_REQUEST
DISCHARGE_REQUEST

• All conditions met for powering PC_PERMIT
• Sum of internal converter faults
  POWERING_FAILURE
• Magnet quench or Fast Abort from PIC
  PC_FAST_ABORT
• Loss of coolant PC_DISCHARGE_REQUEST

• No direct connection Magnet Protection
  Converters, but use of industrial controllers
  (PLCs)
• Protection signals are exchanged via hardwired
  current loops
• Depending on stored energy, circuit complexity,
  QPS, etc.. in between 2-4 signals are exchanged /
  circuit

13
Interlock Types
PC_PERMIT
QPS
PIC
PC
Interlock Type A (13kA main IT)
CIRCUIT_QUENCH
PC_FAST_ABORT
POWERING_FAILURE
PC_DISCHARGE_REQUEST
DISCHARGE_REQUEST
PC_PERMIT_B1
PC
PC_PERMIT_B2
QPS
PIC
PC
Interlock Type B2 (all quads of IPQD)
PC_FAST_ABORT
CIRCUIT_QUENCH
POWERING_FAILURE
PC_PERMIT
QPS
PIC
PC
Interlock Type B1 (600A EE, 600A no EE, 600A no
EE crowbar all dipoles of IPQD)
PC_FAST_ABORT
CIRCUIT_QUENCH
POWERING_FAILURE
PC_PERMIT
PIC
PC
Interlock Type C ( 80-120A)
POWERING_FAILURE
14
Powering Interlocks global interlocks
Cryostat
Magnet
Magnet

PC
QPS
PC
QPS
PC_PERMIT
QPS
1 PIC
PC
PC_FAST_ABORT
CIRCUIT_QUENCH
x M
x N
POWERING_FAILURE
PC_DISCHARGE_REQUEST
DISCHARGE_REQUEST

• Global interlocks
• In addition to circuit/circuit treatment, global
  interlocks will provoke runtime aborts of ALL
  circuits in a subsector. Exchanged via hardware
  or between PLC-PLC

AUG_OK
UPS_OK
Quench_propagation

• CRYO_MAINTAIN

15
Powering Interlocks start-up interlocks
QPS_OK
CRYO_START
CRYO SCADA
QPS SCADA
PIC SCADA
Surface Software signal exchange
Tunnel Hardwired signal exchange
PC_PERMIT
QPS
PIC
PC
PC_FAST_ABORT
CIRCUIT_QUENCH
POWERING_FAILURE
PC_DISCHARGE_REQUEST
DISCHARGE_REQUEST

• Start-up interlocks
• In addition to hardwired interlocks, several
  software interlocks exist
• Exchanged via CMW, DIP, etc between SCADA systems
• Verified ONLY upon start-up, thus not provoking
  aborts during powering

• QPS_OK, CRYO_START, UPS_START, CABLE_CONNECT,
  CONFIG_DATA

16
Interface to Beam Interlock System (1/2)
PIC
USER_PERMIT_B
USER_PERMIT_A
BEAM_INFO
USER_PERMIT_A
USER_PERMIT_B
MASKABLE
ESSENTIAL AUXILIARY
UNMASKABLE
ESSENTIAL
CIBU (ESS)
CIBU (AUX)
BIC

• Both user permits signals needed for redundancy
• Removal of a single USER_PERMIT triggers a Beam
  Bump Request
• BEAM_INFO signal for monitoring purpose
• Beam dump decision taken by the BIC

17
Interface to Beam Interlock System (2/2)
SIEMENS 319 CPU
Max 16 Inputs / Patch Panel Max 96 Inputs / Total
PROFIBUS
MATRIX
ESSENTIAL AUXILIARY CIRCUITS
ESSENTIAL CIRCUITS
UNMASKABLE BEAM DUMP REQUEST OF THIS PIC
MASKABLE BEAM DUMP REQUEST OF THIS PIC

• XILINX XC95144 CPLD is used for redundancy and
  speed in beam dump request for Powering Interlock
  System

18
Mechanisms for secure configuration (1/2)

• LHC Functional Layout Database as unique source
  of information
• Configuration data required for PLCs, CPLDs and
  SCADA
• Consistency guaranteed with strict versioning
  scheme and approval process before migration to
  new data version
• Dedicated script for the generation of
• configuration data
• Files signed with Cyclical Redundancy
• Check (CRC)
• SCADA configuration file will
• contain all checksums for validation
• Flexibility for Commissioning
• No changes during operation without
• repeating all commissioning procedures!!

19
Mechanisms for secure configuration (2/2)
PVSS
DB
Version PLC HW CRC PLC SW CRC Version Matrix CRC
Ethernet
PLC
PLC
PLC
Version PLC HW CRC PLC SW CRC
PUBLISH

PROFIBUS
PROFIBUS
PROFIBUS
matrix
matrix
matrix
Version Matrix CRC
20
EMC and Radiation tests

• 2009 Radiation Equipment installed in CNGS
  (Proton target)
• 2x10e13 p/cycle, 20-30Gy/week
• 4x832 CPLDs on dedicated boards
• Identical SW as used in the LHC devices, with
  remote
• monitoring (RS485 line drivers and PXI in control
  room)
• Labview program to change address lines and
  input
• states of CPLD
• Setup is constantly comparing against each other
  the
• outputs of 32 CPLDs
• Readout of critical path separated from
  monitoring part
• Conclusions
• 3 events in monitoring part detected
• NONE critical path
• Potential destructive latch-up of one CPLD
• after 75 Gy (tbc)
• 2004 Radiation tests in Louvaine to validate
• main components (opto-couplers, AC/DC,)

21

Powering Interlock System Building blocks

• Distributed system over the whole LHC
  circumference, completely installed underground
  to remain close to clients
• 36 industrial controllers SIEMENS PLC 319
  (normal PLC, ie non-safety but optimized for
  speed - 1ms cycle time)
• 8000 remote I/O channels using compact
  (non-SIEMENS) modules with 32 I/Os each
• Total of 500 electronic cards (designed
  in-house)
• 41 km of signal cables linking systems to main
  clients (QPS and power converters)
• Redundant power supplies throughout the system
  (known to be weakest link in terms of MTBF)

22
Validation testing and Operational Procedures
Operator Console in the Field Control Room

• Signal mapping and SCADA functionality
• Supervision links in between systems
• Loading and transfer of configuration files

Ethernet Technical Network
PLC in non-radiation area

• Functionality of the PLC Program
• Integrity of hardwired protection signals
• gt2300 fail safe current loops with PCs,
  QPS, AUG, UPS, BIC

Profibus
Remote I/O close to clients
PC_PERMIT
Power Converter
QPS
CIRCUIT_QUENCH
PC_FAST_ABORT

POWERING_FAILURE
DISCHARGE_ REQUEST
PC_DISCHARGE_ REQUEST
23
Individual System Tests and Short Circuit Tests

• Individual System Tests
• 100 automated functional test in the lab
• (no HW failure yet in tunnel after 4 years of
  operation)
• Preparation and repository archiving (PIC1 and
• PIC2 operation)
• Installation in the tunnel
• Short circuit tests
• Interlock commissioning for 13kA circuits and
  participation to heat runs
• Interface tests with PC and QPS (to detect major
  cabling problems)
• System fully operational for all circuits during
  heat runs (without QPS equipment)

24
Interlocks Commissioning PIC1 and PIC2

• Interlocks Hardware Commissioning (PIC1 PIC2)
• During the 2 main HWC 6000 tests have been
  performed to validate to 100 the powering
  interlock system
• 920 circuits being physically connected to the
  PIC
• depending on circuit type between 2 14 tests to
  be done)
• Due to gtgt tests, automated tools developed for
  execution validation
• Only after successful completion of ALL interlock
  tests declared operational

Sequencer to automate test execution
Analysis tools to automate test validation
25
Conclusions

• Powering Interlock System along with its clients
  assures that all conditions for safe powering are
  met at any time
• Safety critical protection on a circuit by
  circuit level via hardwired interlocks
• Additional protection mechanisms on powering
  subsector level, while allowing some flexibility
  for installation and commissioning
• Supplementary software interlocks for start-up
• During commissioning ONLY, some of these start-up
  interlocks can be masked by the expert (but masks
  clearly visible)
• Only after full interlock commissioning, system
  is considered operational
• Efforts for rigorous design and testing did pay
  off
• not a single non-conformity in interlock systems
  during commissioning 2009
• not a single critical component failure since
  installation in 2006
• No modifications or tampering with interlocks
  after this phase

26
END

• Thank you for your attention

27
Warm Magnet Interlock System (WIC)

• Classical protection of nc magnets via
  thermo-swicthes, flow-meters, emergency stop
  buttons, etc
• Use of industrial PLCs and remote I/O modules,
  relatively slow system
• In LHC only 45 circuits powering 149 magnets in
  LHC

Power Converter
Status info
Warm magnet Interlock Controller
Power Permit
Thermoswitches Water Flow Red button
Several thermo-switches _at_ 60C
Magnet 1
Magnet 2
28
Hardwired signals - Power Permit Loop
15 ,,, 24 V
Cable PIC-PC
Powering Permit CMD_PWR_PERM_PIC Switch closed
permission for powering Switch open no
permission for powering
ST_UNLATCHEDPWR_PERMIT Signal present Powering
permitted Signal to FALSE Powering not permitted
(latched)
GND
Power Converter
Powering Interlock Controller
LHC-D-ES-0003-10-02
by R.Schmidt
29
Hardwired signals Circuit Quench Loop