sns integrated control system sns machine protection system final design review introduction dave...
Post on 15-Jan-2016
229 views
TRANSCRIPT
SNS Integrated Control System
SNS Machine Protection SystemFinal Design Review
Introduction
Dave Gurd
Tuesday, September 11, 2001
SNS Integrated Control System
Review Committee Members
Kelly Mahoney (Jefferson Lab) Chair
Mike Thuot (LANL)
Ken Reece (SNS/ORNL)
George Dodson (SNS/ORNL)
SNS Integrated Control System
Presenters
Coles Sibley Cognizant Engineer
Saeed Assadi
Ron Battle
SNS Integrated Control System
Scope (2) – Personnel Safety Systemsare not under Review Today
Target Protection System
Personnel Protection System
“High QA” System
Machine Protection – Latched
Machine Protection – Auto reset
Run Permit (Software Layer)
SNS Integrated Control System
Scope
This is the Final Design Review for the SNS Machine Protection System Hardware.
The Software System that uses this hardware will be reviewed separately, and at a later time.
The “High QA System” discussion is a Preliminary Design Review” only, preparatory to a planned Project Change Request.
SNS Integrated Control System
System under review is in WBS 1.9.2(Global Systems)
1.3Front End
(LBNL)
1.4Linac
(LANL)
1.5Ring
(BNL)
1.6Target
(ORNL)
1.7Instruments
(ORNL, ANL)
1.8Facilities
(ORNL, CM)
1.9Controls
1.9.3Front EndControls
1.9.4Linac
Controls
1.9.5Ring
Controls
1.9.6Target
Controls
1.9.8FacilitiesControls
1.9.2 “Global” Controls: (Network, Timing, Protection, Control Room, Labs, Applications, System Software)
1.9.1 Integration & Management
1.9.9Personnel
Safety
1.4 Cryo(JLAB, ORNL)
1.9.10Cryo
Controls
ICWG
SNS Integrated Control System
Charge to the Committee
Is the Scope well defined and understood?
Are all the Requirements understood and well-defined? Is the hardware proposed flexible enough to do what is required?
Are all of the Interfaces – internal and with other systems – appropriate and well-defined?
Does the Design presented meet the requirements?» Issues? Anything missing? Anything dumb?
Are there any Safety or QA issues requiring attention?
Is the Cost and Schedule credible with respect to the design and to the project schedule?
Are there any major Unresolved Issues?
Bottom Line: Can we proceed with Procurement and Fabrication?
SNS Integrated Control System
Schedule
10:00 – 10:15 Intro Dave Gurd
10:15 – 12:00 MPS C. Sibley» 10:15 – 10:35 MPS Overview (Latched and Auto Reset)» 10:45 – 11:45 MPS Software, MPS Hardware, Altera Code» 11:45 – 12:00 Cost, Schedule
12:00 – 1:00 Lunch
1:00 – 1:15 Target Protection Ron Battle
1:15 – 1:30 Diagnostics Saeed Assadi
1:30 – 2:00 HQA System C. Sibley
2:00 – 2:15 Cost Schedule C. Sibley
SNS Integrated Control System
Machine Protection System
Final Design Review
September 11, 2001
Coles Sibley
2000-0xxxx/vlb
SNS Integrated Control System
Related Documents
High QA MPS Description (Sibley)
Interface Requirements Document for MPS and Front End Equipment (Sibley)
SNS MPS VME/PMC Module Design (Sibley)
MPS System Requirements Document (Sibley)
MPS Interface Requirements Document (Sibley)
SNS Beam Loss Policy (Dodson)
ASD Control of Beam Power (K. Reece)
Preliminary Safety Assessment Document (PSAD)
Copper damage from fast Beam Loss (Shafer)
Front End Cutoff Devices (Staples)
SNS Integrated Control System
Questions for Committee
Mode Masking is critical. Are Hardware / Software protections presented adequate?
Are we Interlocking ourselves to TOTAL SAFETY- NO BEAM?» Availability verses reliability?
» Flexibility vs. reliability? (Commissioning)
Should corrector power supply ON status be an MPS Input?» Presently NO. Will keep real estate available for the future.
Are Redundant PLC’s and Current sensors required?» Is FPS-Latched OK for redundancy?
» Is Voltage and current read back OK verses 2 Zero Flux?
Layout of inputs indicates a better arrangement is 16/0, or 0/16 instead of 8/8. Very minimal coding change.
SNS Integrated Control System
Machine Protection System (10:00 – 12:00)
Machine Protection System Overview» Mode and timing info throughout MPS Talks
MPS Software Overview
MPS Hardware, Firmware
Cost
Schedule
Acronyms» FPS Fast Protect System
» FPL Fast Protect Latched
» FPAR Fast Protect Auto Reset
» BLM Beam Loss Monitor
SNS Integrated Control System
1.3Front End
(LBNL)
1.4Linac
(LANL)
1.5Ring
(BNL)
1.6Target
(ORNL)
1.7Instruments
(ORNL, ANL)
1.8Facilities
(ORNL, CM)
1.9Controls
1.9.3Front EndControls
1.9.4Linac
Controls
1.9.5Ring
Controls
1.9.6Target
Controls
1.9.7Instrument
Controls
1.9.8FacilitiesControls
1.9.2 “Global” Controls - 1.9.2.3 Machine Protection
1.9.1 Integration & Management
1.9.9Personnel
Safety
1.4 Cryo(JLAB, ORNL)
1.9.10Cryo
Controls
ICWGinclude JLAB
Machine Protection is a Global Subsystem
SNS Integrated Control System
MPS Design Assumptions
Four layers of protection!» High QA (Hardware) PLC» Hardware / Software (Fast Protect System)» Software (Run Permit System)
Machine Protection System is not a “Safety Class” or “Safety Significant” System.
SNS will be built and commissioned in Phases, MPS must accommodate this schedule, (Flexible and Reliable).
Reliability – The Machine Protection System must inhibit the beam when required. It must fail in a SAFE state.
Availability – The machine availability should be as high as possible. The MPS must be easy to configure and have a “friendly” operator interface. False trips must be minimized.
SNS Integrated Control System
MPS - Layered Protection
PersonelProtection System
Fast ProtectLatched
Fast ProtectAuto Reset
Run Permit
Incr
easi
ng
QA
Hard Wired and PLCapplication
3 MHz carrier linkKEY BypassingPLC Bypassing
8 MHz carrier linkSoftware bypassSoftware Trips
EPICSApplication
EPICS ChannelAccess Inputs
Loss MonitorsRF Status
Machine Mode
Valve StatusPower Supply
StatusMachine Mode
Inputs
Chipmunks,Doors, etc.
AC Breakers in front endelectronics &
power supplies
65 KV switchRFQ Power Supply
RFQ Drive
Fast Protect SystemBeam Permit
System
ProtectionSystem
Shutdownmechanism
SystemDescription
System Inputs
Target ProtectionSystem
Hard WiredMercury Sensors
TemperatureFlow, etc
AC Breakers
No
n S
afet
y C
lass
Sys
tem
sS
afe
tyS
ign
ific
an
tS
afet
yC
lass
MPSHQA
PLCControl netFLEX IO
Magnet ShuntsPPS Inputs
Beam DiagnosticsDump, TGT Controls
65 kV SupplyRFQ Power Supply
SNS Integrated Control System
SNS Accelerator Timing Sequence
Real-TimeData Link
(RTDL)
RTDL parametertransmission
0-1 ms-2 ms 1 ms 3 ms2 ms 4 ms
RTDLtransmit
RTDL valid
System xxxTrigger
5 ms 6 ms
mode
snapshot,1Hz, 10Hz,
etc...
linac beamend extract
beamaccumulation
Rf, High voltageGates
-3 ms
MPS Fault
Anytime
MPS Inhibit
Anytime
cycle start
Anytime
event link
machine
Informational Events, non critical timing Time Critical Events, (Hardware is counting)
Master Trigger Generator
Inject SaveData
MPS InputsEvent LinkRTDL Data
SNS Integrated Control System
Mode Definitions
Machine Modes» PPS /Beam Permit
» Ion Source
» D-Plate
» Linac Dump
» Injection Dump
» Ring
» Extraction Dump
» Target
Beam Modes» Off
» Standby (RFQ RF gate)
» Diagnostics (10 usec)
» Diagnostics (50 usec)
» Diagnostics (100 usec)
» Full Pulse Width (1 msec)
» Low Power (7.5 kW)
» Medium Power (200 kW)
» Full Power (2 MW)
SNS Integrated Control System
Background - SNS Events (Prioritized)
5 thru 36 - Operating Mode (same as RTDL frame data)» Hardware / Software from PLC through EPICS
– Beam dump, power limit, Pulse length limit
– Injection rates limited by dump power and pulse width
– DTL for commissioning only
Off 10 usec 50 usec 100 usec 1 msecSRC 5 6 7 8 9DTL 5 10 11 12 13
10 usec 50 usec 100 usec 7.5 kW 200 kW 2 MWLDMP 14 15 16 17IDMP 18 19 20 21 22Ring 23 24 25 26EDMP 27 28 29 30TGT 31 32 33 34 35 36
SNS Integrated Control System
MPS Fast Protect System
Fast Protect Auto Reset (20 microseconds)» Inhibits beam for duration of macro pulse by disabling
FPS_PERMIT_LINK_B carrier to the front end. Restores Fast Protect link for next pulse if fault restored to normal.
Fast Protect Latched System (20 microseconds)» Latches fault conditions until fault clears and Operator resets
condition. FPS_PERMIT_LINK_A carrier interrupted and inhibits beam through front end devices.
Run Permit System (1 second)» Coordinates machine mode changes.
» Scans IOC configurations for Software Configuration errors.
» EPS interface for masking equipment inputs.
High QA MPS (2 Pulses)» Latched in Hardware
» Redundancy through FPLS inputs
SNS Integrated Control System
Copper Damage from Fast Beam Loss (R. Shafer)
Energy dE/dx time Bragg ratio time (MeV) MeV-cm2/gm (dE/dx) us (Bragg) us gm/cm2 cm
2.5 69.6 6 3 2 0.023 0.00265 44.18 10 3.8 3 0.069 0.0077
10 27.09 16 4 4 0.2172 0.024315 20.1 22 4.2 5 0.4323 0.048520 16.2 27 4.7 6 0.709 0.079550 8.09 54 5.3 10 3.502 0.3926
86.8 5.37 81 6.3 13 9.197 1.0311
----------Range----------
Time to reach thermal stress at front surface – column 3Estimated time to reach the thermal stress limit at the Bragg peak - column 5
ConclusionBased on these estimates, it is apparent that significant damage can occur in the DTL unless the MPS Fast Protect can shut down the beam in less than about 5 microseconds for beam losses at E<= 7.5 MeV. For the CCL (E>87 MeV), 20 microseconds is adequate. There is no risk of damaging the RF structures during commissioning with single 52-mA, 600-ns long minipulses.
SNS Integrated Control System
MPS Response Time (Estimate)
Comm Room Total Beam Total Beam(End of) Min MPS Max MPS Beam flight after fault after fault(IOC's) Total Total Time Min MaxMEBT (2) 6.4E-07 8.4E-07 1.4E-07 7.8E-07 9.8E-07DTL (4) 1.3E-06 2.2E-06 1.4E-07 1.5E-06 2.4E-06CCL (5) 2.0E-06 3.3E-06 1.1E-06 3.1E-06 4.4E-06Mbeta (4) 2.6E-06 4.1E-06 1.5E-06 4.0E-06 5.6E-06HB5 (4) 2.9E-06 4.1E-06 1.7E-06 4.6E-06 5.7E-06HB11 (4) 3.3E-06 4.5E-06 1.9E-06 5.2E-06 6.3E-06End SRF (4) 4.0E-06 5.2E-06 2.1E-06 6.1E-06 7.3E-06Ldmp (4) 4.2E-06 4.8E-06 2.3E-06 6.6E-06 7.2E-06
Fiber speed = 0.65CCopper speed = 0.65CMPS Board delay = 75 nsec
SNS Integrated Control System
MPS Fast Protect System Layout
RING
RFQDrive
HEBT
Ldump
SRF
CCL
DTL
65 kV
RFQHVPPS
MPS Inputs
MPS Inputs
MPS InputsMPS Inputs
MPS Inputs
MPS Inputs
MPS Inputs
MPSMaster
Machinemode
RING
RTBT
Xdump
MPS Inputs
MPS Inputs
MPS Inputs
Idump
RTBT
Target
Fa
st
Pro
tec
tIn
pu
ts
FrontEnd
LINAC RING RTBT
Fa
st
Pro
tec
tIn
pu
ts
Fa
st
Pro
tec
tIn
pu
ts
Fa
st
Pro
tec
tIn
pu
ts
Target
LEBTChopper
RFQDrive
Fa
st
Pro
tec
tIn
pu
ts
Fa
ult
Be
am
Pe
rmit
Inp
uts
FrontEnd
LINAC RING RTBT Target
Ion Source65 Kv PS
RFQPower Supply
Fa
ult
Be
am
Pe
rmit
Inp
uts
Be
am
Pe
rmit
Inp
uts
Be
am
Pe
rmit
Inp
uts
Be
am
Pe
rmit
Inp
uts
ExtractionKickersFault
EventSystem
"ABORT"
5.6 us 5.8 us 8.2 us 8.2 us
27.3 us
MEBTMPS Inputs
RFQ
LEBT
Src
MPS Inputs
MPS Inputs
MPS Inputs
0.8 us
MPS Inputs
MPS Inputs
SNS Integrated Control System
MPS Master
L_Dmp
D_plate
I_Dmp
Ring
E_Dmp
Ion_Source
MPS Master, 12 IN links, 2 Out links
Standard MPSPMC Module
FPL Carrier
FPAR Carrier
FPL Carrier
FPAR Carrier
Tgt
FPL, FPAR Inputs
HQA PLC Input
8 MPS Systems2 PPC MV2100
2 PMC_Span modules
7 MPS carrierlinks, 1 per dump
FPL, FPARStatus (Interlock inputs)
PLC contacts forsoftware bypass
Front End Shut off devices
From Target
From E_Dmp
From Ring
From I_Dmp
From L_Dmp
From D_Plt
SNS Integrated Control System
Front End Shut Off Devices
MPS HQA - PPS Only if MPS detects fault HQA- 65 kV power supply OK HQA - RFQ Power supply (Interlock) OK, but 5 min. recovery FPL - 65 kV fast switch OK, 100 msec’s FPL - RFQ Power supply OK, but 5 min. recovery FPAR - RFQ RF drive OK, Off, move gate, ON FPAR - LEBT Chopper Fails unsafe* – BUT Fast
» MEBT Chopper Could damage chopper » RF Reference line Long recovery» LEBT Valve Power limit, Not a beam
stop» Beam Stop none» +/- 40 kV lens supplies Not 100 %» RF Plasma Source PS Thermal instabilities » RF plasma source gate OK for short time
* PAC 2001 paper, SNS Beam Chopping and its Implications for Machine Protection, L. Doolittle, C. Sibley
SNS Integrated Control System
Fast Protect – Auto Reset
ALARA – Pulse Width Modulation
Tuning Aid, ALARA
Concentrates Permit Inputs
Inputs Bypassed by Mode
Inhibits carrier link to disable Beam
Inputs:» Loss Monitors
– Software trip points, bypass
» RF Low level Controls (Maybe latched)
Software maskable
Auto mask sets (Wire Scanner)
SNS Integrated Control System
Beam Loss Monitors (Saeed’s Talk)
Integration Time – Set in Hardware
Trip point limits – Software adjustable - EPICS
Dose Rate Calibration
Masking Capabilities – Software Masks
Wire Scanner Masks – Auto mask sets for each W.S.
Placement – Near Quadrupoles, Redundant coverage
HV Supply – 1 HV supply takes down every other BLM
Configuration Control» Commissioning vs. Run Periods
SNS Integrated Control System
EDM EPICS Loss Monitor display
SNS Integrated Control System
Auto Reset Inputs
Loss LLRF Total
LEBT 0MEBT 0RFQ 1 1DTL 12 6 18CCL 24 4 28SRF 64 92 156HEBT 55 2 57RING 87 4 91RTBT 43 43Total 285 109 394
Fast Protect, Auto Reset
SNS Integrated Control System
Fast Protect - Latched System
Concentrates Permit Inputs
Inhibits carrier link to disable beam
Devices bypassed by Jumper or PLC and Software» Configuration determined on a case by case basis
Inputs Bypassed by machine mode (event link)
System Configuration Control» Equipment maintained in locked racks
» Documentation control of changes
» System verification after changes
SNS Integrated Control System
Fast Protect - Latched Inputs
Power supply status» NO-Fault signal removed when interlock chain dropped or
power supply receives OFF command
Valve Status» No Fault signal when valve is open and NOT closed
» (intermediate states are faults)
Linac RF Status» RF Enabled Signal. Could be auto reset input
Target Status» Input comes from the target control system.
» Response should be faster than target shutdown signal.
» Time Stamp verifies MPS ACTED FIRST
SNS Integrated Control System
Dump Status» Passive Dump Status from PLC
Vacuum Status» Poor integrated vacuum levels
Timing System Status» Ring RF required for IDMP, RING, EDPM, and target modes» Local Oscillator allowed for LDMP, Dplate, and Ion Source modes
PPS Input» PPS search status will latch off beam
Beam Collimator’s» Water cooling
LEBT Chopper» Required for Ring Operation
Fast Protect – Latched Inputs
SNS Integrated Control System
Fast Protect - Latched Inputs
Loss monitors (Near BCM’s, HIGH QA) Current monitors
» Integrated current monitors» Pulse Width violations» Idmp over current monitor
HARP» Beam current intensity
SEM» With each HARP
Beam Position Monitors» Beam off target/dump violation
Wire scanners, Faraday cups» “Home” Limit switches
SNS Integrated Control System
Fast Protect - Latched Inputs
Beam Loss Accounting system» Software integrated loss
EPICS Alarm Inputs» EPICS Alarms for any PV can trigger latched input on a board
level or input signal level.
Injection Kickers» Power supply status» Waveform errors» Kicker pair matching
Extraction Kickers» PS Status» Kickers Charged
Ring RF
SNS Integrated Control System
Latched Inputs
Includes Corrector Power Supplies
RFHV PS I Wire Harp Loss Kick Dmp/Tgt Vac TotalMon.Scan. Coll. Other Inputs
LEBT 5 1 6MEBT 1 17 1 19RFQ 1 1 1 1 1 1 6DTL 3 0 1 6 2 8 18 38CCL 4 73 8 20 105SRF 15 58 1 29 1 1 105HEBT 1 54 1 14 2 2 2 2 78RING 2 195 2 2 8 4 2 215RTBT 91 2 4 4 4 14 2 2 123Total 27 494 6 62 11 8 22 17 48 695
Fast Protect Latched Inputs
SNS Integrated Control System
Number of MPS Systems
Total Latched A-Resethprf vac H2O ps cryo BLMIOC's MPS MPS
LEBT 1 1 1 0MEBT 0 3 1RFQ 1 1 1 1 4 1 1DTL 1 1 2 4 3CCL 2 1 1 1 1 6 14 4SRF 7 1 4 1 4 2 19 14 20HEBT 1 1 2 2 6 10 8RING 1 2 5 3 11 27 12RTBT 1 1 2 4 16 7Total 12 8 6 12 4 11 53 90 56
IOCS
SNS Integrated Control System
MPS Input Bypass Mechanisms
Mode Mask» Global database contains operating mode dependant devices.
Devices not required for present mode are masked through hardware. Masks changed with database reconfiguration and IOC reboot.
Jumper / Key / PLC Bypass» Software bypass requires set of closed contacts from a jumper,
key, or PLC contacts.
Software Bypass» If hardware configuration allows, input bypassed through software
with appropriate EPICS Access Security permissions.
The installation of bypass jumpers will be determined on a case by case basis by committee. Configuration control is monitored by RPS through EPICS.
SNS Integrated Control System
Wire Scanner (Layered) Protection
1. Application Requests W.S. Mode, receives “SW KEY”» Run permit won’t allow long pulse until APP releases key
» Program crashes, etc. require manual intervention, verification
» MODE changed to 10, 50, or 100 usec as appropriate
2. IOC Receives Request for scan » Motor Record is locked by mode (Allowed by low PW MODE)
» MODE == SHORT_PULSE, scan starts
3. MPS Hardware input masked by MODE (Not software)» Limit switch will cut off beam if not masked by MODE MASK
» MODE changes while wire off stops -> Beam cut off
» Motor breaks -> Manual intervention required to get wire out of beam
SNS Integrated Control System
MPS Conclusion
Several layers of protection, Defense in Depth
System is flexible, easy to add / delete sensors as required
Ability to mask through software will increase availability
Easy to run during phased installation.
Hardware enabling SW masks allows configuration control where required, flexibility to mask at will, with same hardware.