sns machine protection system final design review introduction

SNS Integrated Control System

SNS Machine Protection SystemFinal Design Review

Introduction

Dave Gurd

Tuesday, September 11, 2001


Review Committee Members

Kelly Mahoney (Jefferson Lab) Chair

Mike Thuot (LANL)

Ken Reece (SNS/ORNL)

George Dodson (SNS/ORNL)


Presenters

Coles Sibley Cognizant Engineer

Saeed Assadi

Ron Battle


Scope (2) – Personnel Safety Systemsare not under Review Today

Target Protection System

Personnel Protection System

“High QA” System

Machine Protection – Latched

Machine Protection – Auto reset

Run Permit (Software Layer)


Scope

This is the Final Design Review for the SNS Machine Protection System Hardware.

The Software System that uses this hardware will be reviewed separately, and at a later time.

The “High QA System” discussion is a Preliminary Design Review” only, preparatory to a planned Project Change Request.


System under review is in WBS 1.9.2(Global Systems)

1.3Front End

(LBNL)

1.4Linac

(LANL)

1.5Ring

(BNL)

1.6Target

(ORNL)

1.7Instruments

(ORNL, ANL)

1.8Facilities

(ORNL, CM)

1.9Controls

1.9.3Front EndControls

1.9.4Linac

Controls

1.9.5Ring

Controls

1.9.6Target

Controls

1.9.8FacilitiesControls

1.9.2 “Global” Controls: (Network, Timing, Protection, Control Room, Labs, Applications, System Software)

1.9.1 Integration & Management

1.9.9Personnel

Safety

1.4 Cryo(JLAB, ORNL)

1.9.10Cryo

Controls

ICWG


Charge to the Committee

Is the Scope well defined and understood?

Are all the Requirements understood and well-defined? Is the hardware proposed flexible enough to do what is required?

Are all of the Interfaces – internal and with other systems – appropriate and well-defined?

Does the Design presented meet the requirements?» Issues? Anything missing? Anything dumb?

Are there any Safety or QA issues requiring attention?

Is the Cost and Schedule credible with respect to the design and to the project schedule?

Are there any major Unresolved Issues?

Bottom Line: Can we proceed with Procurement and Fabrication?


Schedule

10:00 – 10:15 Intro Dave Gurd

10:15 – 12:00 MPS C. Sibley» 10:15 – 10:35 MPS Overview (Latched and Auto Reset)» 10:45 – 11:45 MPS Software, MPS Hardware, Altera Code» 11:45 – 12:00 Cost, Schedule

12:00 – 1:00 Lunch

1:00 – 1:15 Target Protection Ron Battle

1:15 – 1:30 Diagnostics Saeed Assadi

1:30 – 2:00 HQA System C. Sibley

2:00 – 2:15 Cost Schedule C. Sibley


Machine Protection System

Final Design Review

September 11, 2001

Coles Sibley

2000-0xxxx/vlb


Related Documents

High QA MPS Description (Sibley)

Interface Requirements Document for MPS and Front End Equipment (Sibley)

SNS MPS VME/PMC Module Design (Sibley)

MPS System Requirements Document (Sibley)

MPS Interface Requirements Document (Sibley)

SNS Beam Loss Policy (Dodson)

ASD Control of Beam Power (K. Reece)

Preliminary Safety Assessment Document (PSAD)

Copper damage from fast Beam Loss (Shafer)

Front End Cutoff Devices (Staples)


Questions for Committee

Mode Masking is critical. Are Hardware / Software protections presented adequate?

Are we Interlocking ourselves to TOTAL SAFETY- NO BEAM?» Availability verses reliability?

» Flexibility vs. reliability? (Commissioning)

Should corrector power supply ON status be an MPS Input?» Presently NO. Will keep real estate available for the future.

Are Redundant PLC’s and Current sensors required?» Is FPS-Latched OK for redundancy?

» Is Voltage and current read back OK verses 2 Zero Flux?

Layout of inputs indicates a better arrangement is 16/0, or 0/16 instead of 8/8. Very minimal coding change.


Machine Protection System (10:00 – 12:00)

Machine Protection System Overview» Mode and timing info throughout MPS Talks

MPS Software Overview

MPS Hardware, Firmware

Cost

Schedule

Acronyms» FPS Fast Protect System

» FPL Fast Protect Latched

» FPAR Fast Protect Auto Reset

» BLM Beam Loss Monitor


1.3Front End

(LBNL)

1.4Linac

(LANL)

1.5Ring

(BNL)

1.6Target

(ORNL)

1.7Instruments

(ORNL, ANL)

1.8Facilities

(ORNL, CM)

1.9Controls

1.9.3Front EndControls

1.9.4Linac

Controls

1.9.5Ring

Controls

1.9.6Target

Controls

1.9.7Instrument

Controls

1.9.8FacilitiesControls

1.9.2 “Global” Controls - 1.9.2.3 Machine Protection

1.9.1 Integration & Management

1.9.9Personnel

Safety

1.4 Cryo(JLAB, ORNL)

1.9.10Cryo

Controls

ICWGinclude JLAB

Machine Protection is a Global Subsystem


MPS Design Assumptions

Four layers of protection!» High QA (Hardware) PLC» Hardware / Software (Fast Protect System)» Software (Run Permit System)

Machine Protection System is not a “Safety Class” or “Safety Significant” System.

SNS will be built and commissioned in Phases, MPS must accommodate this schedule, (Flexible and Reliable).

Reliability – The Machine Protection System must inhibit the beam when required. It must fail in a SAFE state.

Availability – The machine availability should be as high as possible. The MPS must be easy to configure and have a “friendly” operator interface. False trips must be minimized.


MPS - Layered Protection

PersonelProtection System

Fast ProtectLatched

Fast ProtectAuto Reset

Run Permit

Incr

easi

ng

QA

Hard Wired and PLCapplication

3 MHz carrier linkKEY BypassingPLC Bypassing

8 MHz carrier linkSoftware bypassSoftware Trips

EPICSApplication

EPICS ChannelAccess Inputs

Loss MonitorsRF Status

Machine Mode

Valve StatusPower Supply

StatusMachine Mode

Inputs

Chipmunks,Doors, etc.

AC Breakers in front endelectronics &

power supplies

65 KV switchRFQ Power Supply

RFQ Drive

Fast Protect SystemBeam Permit

System

ProtectionSystem

Shutdownmechanism

SystemDescription

System Inputs

Target ProtectionSystem

Hard WiredMercury Sensors

TemperatureFlow, etc

AC Breakers

No

n S

afet

y C

lass

Sys

tem

sS

afe

tyS

ign

ific

an

tS

afet

yC

lass

MPSHQA

PLCControl netFLEX IO

Magnet ShuntsPPS Inputs

Beam DiagnosticsDump, TGT Controls

65 kV SupplyRFQ Power Supply


SNS Accelerator Timing Sequence

Real-TimeData Link

(RTDL)

RTDL parametertransmission

0-1 ms-2 ms 1 ms 3 ms2 ms 4 ms

RTDLtransmit

RTDL valid

System xxxTrigger

5 ms 6 ms

mode

snapshot,1Hz, 10Hz,

etc...

linac beamend extract

beamaccumulation

Rf, High voltageGates

-3 ms

MPS Fault

Anytime

MPS Inhibit

Anytime

cycle start

Anytime

event link

machine

Informational Events, non critical timing Time Critical Events, (Hardware is counting)

Master Trigger Generator

Inject SaveData

MPS InputsEvent LinkRTDL Data


Mode Definitions

Machine Modes» PPS /Beam Permit

» Ion Source

» D-Plate

» Linac Dump

» Injection Dump

» Ring

» Extraction Dump

» Target

Beam Modes» Off

» Standby (RFQ RF gate)

» Diagnostics (10 usec)



» Full Pulse Width (1 msec)

» Low Power (7.5 kW)

» Medium Power (200 kW)

» Full Power (2 MW)


Background - SNS Events (Prioritized)

5 thru 36 - Operating Mode (same as RTDL frame data)» Hardware / Software from PLC through EPICS

– Beam dump, power limit, Pulse length limit

– Injection rates limited by dump power and pulse width

– DTL for commissioning only

Off 10 usec 50 usec 100 usec 1 msecSRC 5 6 7 8 9DTL 5 10 11 12 13

10 usec 50 usec 100 usec 7.5 kW 200 kW 2 MWLDMP 14 15 16 17IDMP 18 19 20 21 22Ring 23 24 25 26EDMP 27 28 29 30TGT 31 32 33 34 35 36


MPS Fast Protect System

Fast Protect Auto Reset (20 microseconds)» Inhibits beam for duration of macro pulse by disabling

FPS_PERMIT_LINK_B carrier to the front end. Restores Fast Protect link for next pulse if fault restored to normal.

Fast Protect Latched System (20 microseconds)» Latches fault conditions until fault clears and Operator resets

condition. FPS_PERMIT_LINK_A carrier interrupted and inhibits beam through front end devices.

Run Permit System (1 second)» Coordinates machine mode changes.

» Scans IOC configurations for Software Configuration errors.

» EPS interface for masking equipment inputs.

High QA MPS (2 Pulses)» Latched in Hardware

» Redundancy through FPLS inputs


Copper Damage from Fast Beam Loss (R. Shafer)

Energy dE/dx time Bragg ratio time (MeV) MeV-cm2/gm (dE/dx) us (Bragg) us gm/cm2 cm

2.5 69.6 6 3 2 0.023 0.00265 44.18 10 3.8 3 0.069 0.0077

10 27.09 16 4 4 0.2172 0.024315 20.1 22 4.2 5 0.4323 0.048520 16.2 27 4.7 6 0.709 0.079550 8.09 54 5.3 10 3.502 0.3926

86.8 5.37 81 6.3 13 9.197 1.0311

----------Range----------

Time to reach thermal stress at front surface – column 3Estimated time to reach the thermal stress limit at the Bragg peak - column 5

ConclusionBased on these estimates, it is apparent that significant damage can occur in the DTL unless the MPS Fast Protect can shut down the beam in less than about 5 microseconds for beam losses at E<= 7.5 MeV. For the CCL (E>87 MeV), 20 microseconds is adequate. There is no risk of damaging the RF structures during commissioning with single 52-mA, 600-ns long minipulses.


MPS Response Time (Estimate)

Comm Room Total Beam Total Beam(End of) Min MPS Max MPS Beam flight after fault after fault(IOC's) Total Total Time Min MaxMEBT (2) 6.4E-07 8.4E-07 1.4E-07 7.8E-07 9.8E-07DTL (4) 1.3E-06 2.2E-06 1.4E-07 1.5E-06 2.4E-06CCL (5) 2.0E-06 3.3E-06 1.1E-06 3.1E-06 4.4E-06Mbeta (4) 2.6E-06 4.1E-06 1.5E-06 4.0E-06 5.6E-06HB5 (4) 2.9E-06 4.1E-06 1.7E-06 4.6E-06 5.7E-06HB11 (4) 3.3E-06 4.5E-06 1.9E-06 5.2E-06 6.3E-06End SRF (4) 4.0E-06 5.2E-06 2.1E-06 6.1E-06 7.3E-06Ldmp (4) 4.2E-06 4.8E-06 2.3E-06 6.6E-06 7.2E-06

Fiber speed = 0.65CCopper speed = 0.65CMPS Board delay = 75 nsec


MPS Fast Protect System Layout

RING

RFQDrive

HEBT

Ldump

SRF

CCL

DTL

65 kV

RFQHVPPS

MPS Inputs

MPS Inputs

MPS InputsMPS Inputs

MPS Inputs

MPS Inputs

MPS Inputs

MPSMaster

Machinemode

RING

RTBT

Xdump

MPS Inputs

MPS Inputs

MPS Inputs

Idump

RTBT

Target

Fa

st

Pro

tec

tIn

pu

ts

FrontEnd

LINAC RING RTBT

Fa

st

Pro

tec

tIn

pu

ts

Fa

st

Pro

tec

tIn

pu

ts

Fa

st

Pro

tec

tIn

pu

ts

Target

LEBTChopper

RFQDrive

Fa

st

Pro

tec

tIn

pu

ts

Fa

ult

Be

am

Pe

rmit

Inp

uts

FrontEnd

LINAC RING RTBT Target

Ion Source65 Kv PS

RFQPower Supply

Fa

ult

Be

am

Pe

rmit

Inp

uts

Be

am

Pe

rmit

Inp

uts

Be

am

Pe

rmit

Inp

uts

Be

am

Pe

rmit

Inp

uts

ExtractionKickersFault

EventSystem

"ABORT"

5.6 us 5.8 us 8.2 us 8.2 us

27.3 us

MEBTMPS Inputs

RFQ

LEBT

Src

MPS Inputs

MPS Inputs

MPS Inputs

0.8 us

MPS Inputs

MPS Inputs


MPS Master

L_Dmp

D_plate

I_Dmp

Ring

E_Dmp

Ion_Source

MPS Master, 12 IN links, 2 Out links

Standard MPSPMC Module

FPL Carrier

FPAR Carrier

FPL Carrier

FPAR Carrier

Tgt

FPL, FPAR Inputs

HQA PLC Input

8 MPS Systems2 PPC MV2100

2 PMC_Span modules

7 MPS carrierlinks, 1 per dump

FPL, FPARStatus (Interlock inputs)

PLC contacts forsoftware bypass

Front End Shut off devices

From Target

From E_Dmp

From Ring

From I_Dmp

From L_Dmp

From D_Plt


Front End Shut Off Devices

MPS HQA - PPS Only if MPS detects fault HQA- 65 kV power supply OK HQA - RFQ Power supply (Interlock) OK, but 5 min. recovery FPL - 65 kV fast switch OK, 100 msec’s FPL - RFQ Power supply OK, but 5 min. recovery FPAR - RFQ RF drive OK, Off, move gate, ON FPAR - LEBT Chopper Fails unsafe* – BUT Fast

» MEBT Chopper Could damage chopper » RF Reference line Long recovery» LEBT Valve Power limit, Not a beam

stop» Beam Stop none» +/- 40 kV lens supplies Not 100 %» RF Plasma Source PS Thermal instabilities » RF plasma source gate OK for short time

* PAC 2001 paper, SNS Beam Chopping and its Implications for Machine Protection, L. Doolittle, C. Sibley


Fast Protect – Auto Reset

ALARA – Pulse Width Modulation

Tuning Aid, ALARA

Concentrates Permit Inputs

Inputs Bypassed by Mode

Inhibits carrier link to disable Beam

Inputs:» Loss Monitors

– Software trip points, bypass

» RF Low level Controls (Maybe latched)

Software maskable

Auto mask sets (Wire Scanner)


Beam Loss Monitors (Saeed’s Talk)

Integration Time – Set in Hardware

Trip point limits – Software adjustable - EPICS

Dose Rate Calibration

Masking Capabilities – Software Masks

Wire Scanner Masks – Auto mask sets for each W.S.

Placement – Near Quadrupoles, Redundant coverage

HV Supply – 1 HV supply takes down every other BLM

Configuration Control» Commissioning vs. Run Periods


EDM EPICS Loss Monitor display


Auto Reset Inputs

Loss LLRF Total

LEBT 0MEBT 0RFQ 1 1DTL 12 6 18CCL 24 4 28SRF 64 92 156HEBT 55 2 57RING 87 4 91RTBT 43 43Total 285 109 394

Fast Protect, Auto Reset


Fast Protect - Latched System

Concentrates Permit Inputs

Inhibits carrier link to disable beam

Devices bypassed by Jumper or PLC and Software» Configuration determined on a case by case basis

Inputs Bypassed by machine mode (event link)

System Configuration Control» Equipment maintained in locked racks

» Documentation control of changes

» System verification after changes


Fast Protect - Latched Inputs

Power supply status» NO-Fault signal removed when interlock chain dropped or

power supply receives OFF command

Valve Status» No Fault signal when valve is open and NOT closed

» (intermediate states are faults)

Linac RF Status» RF Enabled Signal. Could be auto reset input

Target Status» Input comes from the target control system.

» Response should be faster than target shutdown signal.

» Time Stamp verifies MPS ACTED FIRST


Dump Status» Passive Dump Status from PLC

Vacuum Status» Poor integrated vacuum levels

Timing System Status» Ring RF required for IDMP, RING, EDPM, and target modes» Local Oscillator allowed for LDMP, Dplate, and Ion Source modes

PPS Input» PPS search status will latch off beam

Beam Collimator’s» Water cooling

LEBT Chopper» Required for Ring Operation

Fast Protect – Latched Inputs



Loss monitors (Near BCM’s, HIGH QA) Current monitors

» Integrated current monitors» Pulse Width violations» Idmp over current monitor

HARP» Beam current intensity

SEM» With each HARP

Beam Position Monitors» Beam off target/dump violation

Wire scanners, Faraday cups» “Home” Limit switches



Beam Loss Accounting system» Software integrated loss

EPICS Alarm Inputs» EPICS Alarms for any PV can trigger latched input on a board

level or input signal level.

Injection Kickers» Power supply status» Waveform errors» Kicker pair matching

Extraction Kickers» PS Status» Kickers Charged

Ring RF


Latched Inputs

Includes Corrector Power Supplies

RFHV PS I Wire Harp Loss Kick Dmp/Tgt Vac TotalMon.Scan. Coll. Other Inputs

LEBT 5 1 6MEBT 1 17 1 19RFQ 1 1 1 1 1 1 6DTL 3 0 1 6 2 8 18 38CCL 4 73 8 20 105SRF 15 58 1 29 1 1 105HEBT 1 54 1 14 2 2 2 2 78RING 2 195 2 2 8 4 2 215RTBT 91 2 4 4 4 14 2 2 123Total 27 494 6 62 11 8 22 17 48 695

Fast Protect Latched Inputs


Number of MPS Systems

Total Latched A-Resethprf vac H2O ps cryo BLMIOC's MPS MPS

LEBT 1 1 1 0MEBT 0 3 1RFQ 1 1 1 1 4 1 1DTL 1 1 2 4 3CCL 2 1 1 1 1 6 14 4SRF 7 1 4 1 4 2 19 14 20HEBT 1 1 2 2 6 10 8RING 1 2 5 3 11 27 12RTBT 1 1 2 4 16 7Total 12 8 6 12 4 11 53 90 56

IOCS


MPS Input Bypass Mechanisms

Mode Mask» Global database contains operating mode dependant devices.

Devices not required for present mode are masked through hardware. Masks changed with database reconfiguration and IOC reboot.

Jumper / Key / PLC Bypass» Software bypass requires set of closed contacts from a jumper,

key, or PLC contacts.

Software Bypass» If hardware configuration allows, input bypassed through software

with appropriate EPICS Access Security permissions.

The installation of bypass jumpers will be determined on a case by case basis by committee. Configuration control is monitored by RPS through EPICS.


Wire Scanner (Layered) Protection

1. Application Requests W.S. Mode, receives “SW KEY”» Run permit won’t allow long pulse until APP releases key

» Program crashes, etc. require manual intervention, verification

» MODE changed to 10, 50, or 100 usec as appropriate

2. IOC Receives Request for scan » Motor Record is locked by mode (Allowed by low PW MODE)

» MODE == SHORT_PULSE, scan starts

3. MPS Hardware input masked by MODE (Not software)» Limit switch will cut off beam if not masked by MODE MASK

» MODE changes while wire off stops -> Beam cut off

» Motor breaks -> Manual intervention required to get wire out of beam


MPS Conclusion

Several layers of protection, Defense in Depth

System is flexible, easy to add / delete sensors as required

Ability to mask through software will increase availability

Easy to run during phased installation.

Hardware enabling SW masks allows configuration control where required, flexibility to mask at will, with same hardware.