Abstract
Background
The China Spallation Neutron Source (CSNS) accelerator consists of an 80 MeV H- LINAC, a 1.6 GeV rapid cycling synchrotron (RCS) and two beam transport lines. The uncontrolled beam may permanently damage the components or lead to very high residual radiation dose along the beam line. So the equipment protection must be deliberately designed and implemented.
Purpose
The machine protection system (MPS) protects components from being damaged by the beam. The response time requirement for the CSNS MPS is less than 20 ms, so the PLC (programmable logic controller) was adopted to implement the interlock logic.
Methods
The MPS was implemented as a two-tier architecture system, and developed through utilizing PLC and Experimental Physics and Industrial Control System (EPICS) software toolkits. The application logic was taken into careful consideration during the implementation stage. An embedded CPU module can function as an IOC accessing PLC I/O modules through the sequence CPU, with an embedded Linux operation system.
Results
The interlock logic and heartbeat functions were tested with all functions ok. Time consumption has been measured thoroughly since the important requirement, which is around 15 ms to stop the beam.
Conclusions
MPS was completed in Sep. 2017 and then put into operation. It has been operating smoothly for more than 3 years. MPS has played an important role in every stage of CSNS’s commissioning and operation and achieved high reliability during the user’s experiment operation. The accelerator recently runs stably with low equipment failure.
Similar content being viewed by others
Avoid common mistakes on your manuscript.
Introduction
CSNS is a high-power proton accelerator-based facility. The uncontrolled beam may permanently damage the components or lead to very high residual radiation dose along the beam line. So the equipment protection must be deliberately designed and implemented. The CSNS equipment protection system consists of two protection systems; one is the PLC-based slow protection system, i.e., MPS. The other is the FPGA-based fast protection system, i.e., fast protection system (FPS). The interaction of MPS and FPS is coordinated by the run management system (RMS), which is responsible for the management of accelerator operation [1,2,3,4,5].
The response time requirement for the MPS is less than 20 ms. Considering the response time requirement, PLC is a good choice to implement the MPS. For the CSNS MPS, Yokogawa FA-M3 series PLC was adopted. The CSNS MPS was implemented in two-tier architecture. The field measured response time for CSNS MPS is about 15 ms, which could fulfil the requirements [6,7,8,9].
The design of MPS
Input signals classification
The input signals from technical systems, including power supply system, vacuum system, radio frequency system and other related system, were determined after comprehensive discussion and investigation. The signals need to be collected by MPS as shown in Table 1 [10,11,12,13,14].
Sub-area definition
The CSNS has five beam destinations: linac dump (L-DUMP), linac dump1 (LRDMP1), injection dump (I-DUMP), RCS dump (R-DUMP) and target as shown in Fig. 1. Each beam destination is defined as a machine mode, and another specific machine mode is defined as the ION SOURCE for ion source condition only.
Sub-area diagram
The current operation area is the actual beam operation area according to the machine mode. For the availability of accelerator’s operation, only the input signals included in the current operation area are involved in the interlock logic, and those outside the current operation area are not involved in. Therefore, it is necessary to manage the input signals properly to facilitate the implementation.
The sub-area definition is designed to achieve this goal. The MPS divides the input signals from the whole facility into 10 sub-areas; each sub-area contains many specific input signals, and one input signal can only belong to one sub-area; MPS will use the machine mode to determine the interlock sub-area combinations as shown in Table 2.
Critical equipment
For some specific power supplies for dipole magnets, which make the beam point to five beam destinations as shown in the figure above. The power supplies are LRSWBPS01, LRBPS, ISEP1, ISEP2, ESEP, RTBPS01, RTBPS02, RTBVPS01 and RTBVPS02, both the fault signal and the current setting signal, are sent to the MPS. MPS defines these power supplies as the critical equipment. Besides, the primary strip foil is also defined as critical equipment.
Take the power supply LRSWBPS01 as an example, which is a bipolar power supply. According to the different settings, the corresponding magnet LRSW will deliver to beam to three beam destinations. For a given beam destination, the predefined mode signals are sent to LRSWBPS01 by MPS firstly, and then, MPS checks feedback status signals from power supply. Tables 3 and 4 show the detailed signal combinations sent by MPS and power supply LRSWBPS01, respectively.
Redundant design
In order to promote the reliability of the MPS, the redundant design principle was adopted for the CSNS MPS. MPS consists of two independent systems: MPS-A and MPS-B, where MPS-A collects all the interlock signals from the CSNS facility and MPS-B only collects interlock signals from the critical equipment. Moreover, independent beam stopping cable routes are utilized by the two systems. Both MPS-A and MPS-B are online during the operation of accelerator. MPS-A adopts the master–slave architecture and MPS-B has only one station.
Interconnection with other protection systems
The protection system for CSNS consists of MPS, FPS and PPS (personnel protection system). Figure 2 shows the diagram of the interactions among RMS and MPS, FPS and PPS. The operation of MPS must be interacted with other systems. RMS plays the role of coordinating these three protection system and facilitates the accelerator’s operation management. MPS and FPS has independent cable routes to stop the beam. PPS signals are treated as an input of MPS and RMS. Furthermore, the heartbeat signals of PPS, RMS and MPS can be monitored by each other to detect the system malfunction.
Interconnection among overall protection systems
Beam stopping procedure
MPS must stop the beam immediately if the fault signal is detected. There are two actuators for MPS to stop the beam, which are ion source 50 kV accelerating power supply and FPS, respectively. When the fault signal is received by MPS, it will send the interlock signal to ion source control system and FPS simultaneously; the ion source control system will turn down voltage of the ion source accelerating power supply to 0 kV, and the FPS will carry out a series of actions. Figure 3 shows the diagram of beam stopping procedure of MPS.
Beam stopping procedure of MPS
The implementation of MPS
Overall system architecture
The CSNS MPS was implemented as a two-tier architecture system and developed through utilizing PLC and experimental physics and industrial control system (EPICS) software toolkits. The hardware architecture is depicted in Fig. 4; the main station responds for interlock logic, and the four sub-stations respond for signals collection. The signals from various types of equipment are collected by 4 sets of slave PLCs located at different control stations and then transmitted to the MPS-A master PLC through multi-core cables only. The signals of critical equipment are directly sent to the master PLC of MPS-A and MPS-B via cables.
System diagram of MPS hardware architecture
Application logic
The application logic is realized by ladder diagram, and the following four points were taken into careful consideration during the implementation stage.
-
1)
Fail-safe for interface
For the consideration of reliability, the principle of fail-safe is applied to each interface. The interface of the input and output signal is normally closed under normal condition and will be switched to open state when the equipment failure happens or the cable route is broken.
-
2)
Self-locking
MPS utilizes the self-locking relay to implement the interlock. If the input signal changes to fault state, the self-locking relay will keep itself locked, which can only be reset by a manual reset trigger. This is illustrated in Fig. 5, the input relay X01004 of vacuum valve R2GV01 changing from closed to open, which results in the internal relay I00102 switching to self-locking state. The self-locking implementation is also helpful for the post-analysis.
-
3)
Snapshot function
The snapshot function is designed to record the input channels state at the interlock moment, which can be used to identify which input signal triggered the interlock first.
This is illustrated in Fig. 6; the input relays X00301-X00316 (No. 3 slot digital input module) are assigned to the internal relays I00001-I00016 using a block transfer instruction BMOV. When the falling edge of the interlock signal I00515 is detected, D00101 and D00001 are refreshed by D00001 and I00001-I00016, respectively. That is, D00001 records the snapshot of X00301-X00316 at the interlock moment, and D00101 records the snapshot of X00301-X00316 at the previous interlock moment.
-
4)
Periodic heartbeat monitoring
Illustration of fail-safe for input interface in ladder
Illustration of snapshot function in ladder
The healthy state of MPS itself is essential to the operation CSNS. In order to monitor the health of the MPS, the heartbeat signal generating and monitoring method was implemented.
Figure 7 shows the periodic heartbeat signals monitoring among protection systems, which are generated and checked by the PLC I/O. Figure 8 shows the 10-s-width periodic heartbeat signals for slave PLCs at local control stations, which are generated by the timer in the ladder.
Illustration of periodic heartbeat signals among protection systems
Illustration of periodic heartbeat signals monitoring for slave PLCs
Software applications
An embedded CPU module named F3RP61 can function as an IOC accessing PLC I/O modules through the sequence CPU, with an embedded Linux operation system. The adoption of the embedded IOC not only simplifies the architecture of the system, but also improves the data transmission speed [15].
Control system studio (CSS) BOY toolset was utilized to design the MPS operator interface (OPI), which is organized in two major layers, i.e., (1) the main window; (2) the detail windows. As shown in Fig. 9, the main window includes 13 detail windows.
Screenshot of main window
The stand-alone application is bypass status save/restore tool, which is designed to provide the operator tools necessary to save a consistent condition of bypass status and to allow, when necessary, a quick restore to a previously saved status.
Comprehensive test and effectiveness
The interlock logic and heartbeat functions were tested first with all functions ok. In selected machine mode, any input channel in the current operation area can stop the beam immediately; those outside the current operation area do not affect the beam.
Time consumption has been measured thoroughly since the important requirement. Figure 10 shows the oscilloscope screenshot for response time test; the yellow signal represents the time when the input signal is received by slave PLC on RTBT station; the blue signal indicates the time when the output signal is generated from master PLC on MPS-A station. The response time is around 15 ms to stop the beam. Delay of cables and PLC I/O modules contribute mainly.
Oscilloscope screenshot for response time test
The accelerator recently runs stably with low equipment failure. For example, on June 10, 2019, an MPS interlock occurs when the corresponding vacuum degree deteriorates, in Fig. 11, the blue and green signals from cold gauge R4CCG05 and R4CCG06, respectively, indicate the time when threshold reached; the orange signal represents the time when the valve R4GV02 was triggered, and then, the red signal indicates the time when the MPS interlock was generated from master PLC on MPS-A station to protect valve R4GV02.
MPS effectiveness example
Summary
MPS was completed in September 2017 and then put into operation. It has been operating smoothly for more than 3 years. MPS has played an important role in every stage of CSNS’s commissioning and operation and achieved high reliability during the user’s experiment operation. To eliminate operators’ misoperation, MPS is also under strict management. The comprehensive test was carried out, after each summer shut down of CSNS, to guarantee the function of MPS.
References
W. Jie, F. Shinian, T. Jingyu et al., China spallation neutron source: an overview of application prospects. Chin. Phys. C 33(11), 1033–1042 (2009)
W. Sheng, F. Shouxian, F. Shinian et al., Introduction to the overall physics design of CSNS accelerators. Chin. Phys. C 33(s2), 1–3 (2009)
L. Huachang, P. Jun, G. Keyun et al., DTL construction status of China spallation neutron source. Atom. Energy Sci. Technol. 49(S2), 556–559 (2015)
J. Dapeng, Z. Yuliang, Z. Peng. Design, implementation and setup of the fast protection system for CSNS. ICALEPCS 2015.
Z. Yuliang, K. Mingtao, J. Dapeng, et al. The run management system for CSNS. Rad. Detect. Technol. Methods, 2019.
Z. Jijiu, Y. Zhaosheng, Particle Accelerator Technology (Higher Education Press, Beijing, 2006).
C. Sibley, Machine protection strategies for high power accelerators. PAC 607–611, 2003 (2003)
C. Sibley, D. Armstrong, A. Jones et al., The SNS machine protection system: early commissioning results and future plans. PAC 1727–1729, 2005 (2005)
M. Alcorta, D. Dale, H. Hui et al., Status of the machine protection system for ARIEL E-LINAC. IPAC 4829–4831, 2018 (2018)
W. Chunhong, W. Xiaoli, L. Jia, et al. Status of the CSNS control system. ICALEPCS 2011.
M. Yinglin, W. Qingbin, W. Yufei et al., Design of CSNS radiation safety interlocking access control system. Nucl. Safety 16, 85 (2017)
Z. Lei, T. Jianmin, Q. Ruiyang et al., Design of the CSNS beam loss monitor system. High Power Laser Particle Beams. 1, 80–85 (2019)
Q. Xin, Z. Jing, H. Zuyue et al., Magnet power supply system for China spallation neutron source. Power Electron. 2014(12), 14–16 (2014)
D. Haiyi, S. Hong, L. Qi et al., Research and development of vacuum system for China spallation neutron source. Vacuum 4, 1–6 (2015)
M. R. Kraimer, J. B. Anderson, A. N. Johnson, et al., EPICS application developer's guide. https://epics.anl.gov/base/R3-14/12-docs/AppDevGuide/. Accessed 19 May 2020.
Acknowledgements
This work was supported by the China Spallation Neutron Source project, the National Science Foundation of China (Grant Nos. 11575289), and the Key Laboratory of Particle Acceleration Physics & Technology and State Key Laboratory of Particle Detection and Electronics.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.
About this article
Cite this article
Mingtao, K., Yuliang, Z., Dapeng, J. et al. The machine protection system for CSNS. Radiat Detect Technol Methods 5, 273–279 (2021). https://doi.org/10.1007/s41605-021-00239-8
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s41605-021-00239-8