The machine protection system for CSNS

The China Spallation Neutron Source (CSNS) accelerator consists of an 80 MeV H- LINAC, a 1.6 GeV rapid cycling synchrotron (RCS) and two beam transport lines. The uncontrolled beam may permanently damage the components or lead to very high residual radiation dose along the beam line. So the equipment protection must be deliberately designed and implemented. The machine protection system (MPS) protects components from being damaged by the beam. The response time requirement for the CSNS MPS is less than 20 ms, so the PLC (programmable logic controller) was adopted to implement the interlock logic. The MPS was implemented as a two-tier architecture system, and developed through utilizing PLC and Experimental Physics and Industrial Control System (EPICS) software toolkits. The application logic was taken into careful consideration during the implementation stage. An embedded CPU module can function as an IOC accessing PLC I/O modules through the sequence CPU, with an embedded Linux operation system. The interlock logic and heartbeat functions were tested with all functions ok. Time consumption has been measured thoroughly since the important requirement, which is around 15 ms to stop the beam. MPS was completed in Sep. 2017 and then put into operation. It has been operating smoothly for more than 3 years. MPS has played an important role in every stage of CSNS’s commissioning and operation and achieved high reliability during the user’s experiment operation. The accelerator recently runs stably with low equipment failure.


Introduction
CSNS is a high-power proton accelerator-based facility. The uncontrolled beam may permanently damage the components or lead to very high residual radiation dose along the beam line. So the equipment protection must be deliberately designed and implemented. The CSNS equipment protection system consists of two protection systems; one is the PLC-based slow protection system, i.e., MPS. The other is the FPGA-based fast protection system, i.e., fast protection system (FPS). The interaction of MPS and FPS is coordinated by the run management system (RMS), which is responsible for the management of accelerator operation [1][2][3][4][5].
The response time requirement for the MPS is less than 20 ms. Considering the response time requirement, PLC is a good choice to implement the MPS. For the CSNS MPS, Yokogawa FA-M3 series PLC was adopted. The CSNS MPS was implemented in two-tier architecture. The field measured response time for CSNS MPS is about 15 ms, which could fulfil the requirements [6][7][8][9].

Input signals classification
The input signals from technical systems, including power supply system, vacuum system, radio frequency system and other related system, were determined after comprehensive discussion and investigation. The signals need to be collected by MPS as shown in Table 1 [10][11][12][13][14].

Sub-area definition
The CSNS has five beam destinations: linac dump (L-DUMP), linac dump1 (LRDMP1), injection dump (I-DUMP), RCS dump (R-DUMP) and target as shown in Fig. 1. Each beam destination is defined as a machine mode, and another specific machine mode is defined as the ION SOURCE for ion source condition only.
The current operation area is the actual beam operation area according to the machine mode. For the availability of accelerator's operation, only the input signals included in the current operation area are involved in the interlock logic, and those outside the current operation area are not involved in. Therefore, it is necessary to manage the input signals properly to facilitate the implementation.
The sub-area definition is designed to achieve this goal. The MPS divides the input signals from the whole facility into 10 sub-areas; each sub-area contains many specific input signals, and one input signal can only belong to one sub-area; MPS will use the machine mode to determine the interlock sub-area combinations as shown in Table 2.

Critical equipment
For some specific power supplies for dipole magnets, which make the beam point to five beam destinations as shown in the figure above. The power supplies are LRSWBPS01, LRBPS, ISEP1, ISEP2, ESEP, RTBPS01, RTBPS02, RTB-VPS01 and RTBVPS02, both the fault signal and the current setting signal, are sent to the MPS. MPS defines these power supplies as the critical equipment. Besides, the primary strip foil is also defined as critical equipment.

Redundant design
In order to promote the reliability of the MPS, the redundant design principle was adopted for the CSNS MPS.

Interconnection with other protection systems
The protection system for CSNS consists of MPS, FPS and PPS (personnel protection system). Figure 2 shows the diagram of the interactions among RMS and MPS, FPS and PPS. The operation of MPS must be interacted with other systems. RMS plays the role of coordinating these three protection system and facilitates the accelerator's operation management. MPS and FPS has independent cable routes to stop the beam. PPS signals are treated as an input of MPS and RMS. Furthermore, the heartbeat signals of PPS, RMS and MPS can be monitored by each other to detect the system malfunction.

Beam stopping procedure
MPS must stop the beam immediately if the fault signal is detected. There are two actuators for MPS to stop the beam, which are ion source 50 kV accelerating power supply and FPS, respectively. When the fault signal is received by MPS, it will send the interlock signal to ion source control system and FPS simultaneously; the ion source control system will turn down voltage of the ion source accelerating power supply to 0 kV, and the FPS will carry out a series of actions. Figure 3 shows the diagram of beam stopping procedure of MPS.

Overall system architecture
The CSNS MPS was implemented as a two-tier architecture system and developed through utilizing PLC and experimental physics and industrial control system (EPICS) software toolkits. The hardware architecture is depicted in Fig. 4; the main station responds for interlock logic, and the four sub-stations respond for signals collection. The signals from various types of equipment are collected by 4 sets of slave PLCs located at different control stations and then transmitted to the MPS-A master PLC through multi-core cables only. The signals of critical equipment are directly sent to the master PLC of MPS-A and MPS-B via cables.

Application logic
The application logic is realized by ladder diagram, and the following four points were taken into careful consideration during the implementation stage.

1) Fail-safe for interface
For the consideration of reliability, the principle of fail-safe is applied to each interface. The interface of the input and output signal is normally closed under normal condition and will be switched to open state when the equipment failure happens or the cable route is broken. 2) Self-locking MPS utilizes the self-locking relay to implement the interlock. If the input signal changes to fault state, the self-locking relay will keep itself locked, which can only be reset by a manual reset trigger. This is illustrated in Fig. 5, the input relay X01004 of vacuum valve R2GV01 changing from closed to open, which results in the internal relay I00102 switching to self-locking state. The self-locking implementation is also helpful for the post-analysis.

3) Snapshot function
The snapshot function is designed to record the input channels state at the interlock moment, which can be used to identify which input signal triggered the interlock first. This is illustrated in Fig. 6; the input relays X00301-X00316 (No. 3 slot digital input module) are assigned to the internal relays I00001-I00016 using a block transfer instruction BMOV. When the falling edge of the interlock signal I00515 is detected, D00101 and D00001 are refreshed by D00001 and I00001-I00016, respectively. That is, D00001 records the snapshot of X00301-X00316 at the interlock moment, and D00101 records the snapshot of X00301-X00316 at the previous interlock moment.

4) Periodic heartbeat monitoring
The healthy state of MPS itself is essential to the operation CSNS. In order to monitor the health of the MPS, the heartbeat signal generating and monitoring method was implemented. Figure 7 shows the periodic heartbeat signals monitoring among protection systems, which are generated and checked by the PLC I/O. Figure 8 shows the 10-s-width periodic heartbeat signals for slave PLCs at local control stations, which are generated by the timer in the ladder.

Software applications
An embedded CPU module named F3RP61 can function as an IOC accessing PLC I/O modules through the sequence CPU, with an embedded Linux operation system. The adoption of the embedded IOC not only simplifies the architecture of the system, but also improves the data transmission speed [15].
Control system studio (CSS) BOY toolset was utilized to design the MPS operator interface (OPI), which is organized in two major layers, i.e., (1) the main window; (2) the detail windows. As shown in Fig. 9, the main window includes 13 detail windows.
The stand-alone application is bypass status save/restore tool, which is designed to provide the operator tools necessary to save a consistent condition of bypass status and to allow, when necessary, a quick restore to a previously saved status.

Comprehensive test and effectiveness
The interlock logic and heartbeat functions were tested first with all functions ok. In selected machine mode, any input channel in the current operation area can stop the beam immediately; those outside the current operation area do not affect the beam.
Time consumption has been measured thoroughly since the important requirement. Figure 10 shows the oscilloscope screenshot for response time test; the yellow signal represents the time when the input signal is received by slave PLC on RTBT station; the blue signal indicates the time when the output signal is generated from master PLC on MPS-A station. The response time is around 15 ms to stop the beam. Delay of cables and PLC I/O modules contribute mainly.
The accelerator recently runs stably with low equipment failure. For example, on June 10, 2019, an MPS interlock occurs when the corresponding vacuum degree deteriorates, in Fig. 11, the blue and green signals from cold gauge R4CCG05 and R4CCG06, respectively, indicate the time when threshold reached; the orange signal represents the time when the valve R4GV02 was triggered, and then, the red signal indicates the time when the MPS interlock was generated from master PLC on MPS-A station to protect valve R4GV02.

Summary
MPS was completed in September 2017 and then put into operation. It has been operating smoothly for more than 3 years. MPS has played an important role in every stage of CSNS's commissioning and operation and achieved high reliability during the user's experiment operation. To eliminate operators' misoperation, MPS is also under strict management. The comprehensive test was carried out, after