THE DIAMOND MACHINE PROTECTION SYSTEM

M. T. Heron, S. Lay, Y. Chernousko, P. Hamadyk, N. Rotolo,
Diamond Light Source, Oxfordshire. UK

Abstract
The Diamond Light Source Machine Protection System manages the hazards from high power photon beams and other hazards to ensure equipment protection on the booster synchrotron and storage ring. The system has a shutdown requirement, on a beam mis-steer of under 1msec and has to manage in excess of a thousand interlocks. This is realised using a combination of bespoke hardware and programmable logic controllers.

The structure of the Machine Protection System will be described, together with operational experience and developments to provide post-mortem functionality.

INTRODUCTION
Diamond, a third generation 3GeV synchrotron light source[1], commenced operation in January 2007. The storage ring (SR) is based on a 24-cell double bend achromatic lattice of 561m circumference. It uses a full-energy booster synchrotron and a Linac for injection. The spectral output is optimised for high brightness up to 20keV from Undulators and high flux up to 100keV from Multipole wigglers. The current operational state includes twenty photon beamlines, with a further twelve beamlines now under design or construction.

The design of the Diamond control system [2] is based on the EPICS control system toolkit. It primarily uses VME IOCs as the plant interface. The EPICS control system undertakes plant supervision and operation within defined limits, but does not protect equipment from damage. Independent from the control systems there are hardware and PLC-based subsystems to ensure correct operation of process-based equipment, e.g. cryogenic systems, and protection of equipment. These systems constitute the Machine Protection System.

MACHINE PROTECTION SYSTEM REQUIREMENTS
The Diamond machine protection system is required to protect equipment from damage, both at the local and the global level, by managing the hazard. This is achieved in most cases by controlling the source of the energy. At the global level this involves protecting the vacuum vessel from damage by the photon beam, and series-connected magnets from thermal damage. At the local level this again involves protecting magnets from thermal damage, and photon front ends and vacuum equipment from damage. The MPS further ensures that photon front ends are only operated when insertion devices are within approved ranges of beam current and gap, and that vacuum conditions are such that Gas Bremsstrahlung production is within acceptable levels.

When the required response times for the protection of this equipment are considered, it is evident that most occurrences can be addressed using commodity PLCs. However, the protection of the vacuum vessel against the thermal load of a mis-steered beam requires the dumping of the stored electron beam in under 1 msec (including detection, logic, transmission and beam dump). This therefore requires a dedicated hardware-based solution.

In view of the size of the Diamond facility, a fibre optic infrastructure was installed from each of the accelerator instrumentation areas to a common area. This has been utilised by the MPS, thereby minimising cable runs and potential earth loops.

The MPS is required to ensure protection of equipment, but to operate independently from the supervisory layer of the control system, the EPICS IOCs. The latter ensures correct operation of the equipment within prescribed limits, and only when this fails should the MPS act. Similarly, the Personnel Safety System [3] at Diamond is independent of the Control System and the MPS, and ensures the protection of personnel from various hazards. At the point where the MPS and PSS systems interface, the MPS issues requests to the PSS, with the PSS having the final control of any radiation source.

Whilst the PSS at Diamond is designed against a process based on the standard IEC61508, the MPS design process is not so rigorous, but adopts good practice in managing hazards. It uses simple logic to enable functional testing, solutions designed to fail safe and undergoes periodic validation re-testing to ensure ongoing system integrity.

PRINCIPLE AND ORGANISATION
The MPS monitors a large number of interlock signals from diagnostics instrumentation, vacuum instrumentation, photon front ends and plant monitoring subsystems. Based on logic it can then remove the source of the energy to ensure protection of equipment. Depending on requirements, interlocks are managed on a Local or a Global basis. The Global system is structured as two layers, and supports fast- and slow-response-time interlock requirements.

A Global MPS (GMPS) module takes the interlock permits for a given interlock circuit from each of the cells of the accelerator, and, subject to all interlocks being good, produces a permit to operate the source of energy: the RF amplifier for vessel protection and the PSU for magnet protection (see Figure 1). The Local MPS module takes fast Interlock inputs from one cell of the Storage Ring or one quadrant of the Booster. Fast interlocks are those that must drop the beam in under 400µsec (the maximum speed of the interlock) in the event of failure.
Examples of this type of measurement are signals from electron beam position monitors, beam blow up, beam obstruction (vacuum isolation valves) and reduction in the quality of the vacuum in the storage ring. The module also takes the permits from PLCs that manage the slow interlocks for that local cell.

Slow interlocks are processed by PLCs which manage interlocks where a response time greater than 100msec is acceptable. These include water cooling, vessel and magnet temperature, and component interlocks from photon front ends and photon beamline control subsystems. The PLCs also produce local permits for the correct operation of equipment controlled from within the same cell, an example being the Quadrupole magnet PSUs.

Figure 1: Architecture.

**System Realisation**

The interlock system is based around DLS-designed machine protection cards. The interlocks feed to the LMPS card from the monitoring equipment, and if all interlocks are good, the enable signal is generated. The enable signals for each cell are fed via fibre links to a GMPS card which produces the permit required by the RF or Dipole Power supply to operate.

**The Local MPS Card**

Each Local MPS (LMPS) card can receive up to 32 interlocks as input signals and can be configured as one or two independent channels. The LMPS modules are located in a VME-based IOC that provides power, time reference and an interface to the control systems for monitoring. The output permits are produced as a 5MHz pulse train and are distributed over optical fibre links to the GMPS module. For a good permit the 5MHz clock is the active state, so that is possible to differentiate between a failed interlock, which gives zero output from the optical receiver, and a broken fibre, which gives a high output from the optical receiver.

The 32 inputs to the LMPS card are optical-isolated to support 24 volt signal levels. Each input is ORed with a signal from a jumper so that it can be overridden (or disabled) by inserting the jumper. The outputs from all the OR gates, which represents the status of the used inputs, are then ANDed to give an overall logic state. This is then latched on by a Reset signal from the controls systems. Each LMPS module is monitored by a Hytec 8001 digital I/O board to read the state of the jumpers and inputs, to provide reset signals and to monitor the transition to fault condition. The loss of an individual interlock removes the output and sends a signal to the Hytec 8001 board to latch the transition. The output can only make the transition to the enabled state when all the interlocks are good and a reset signal from the 8001 is asserted.

**The Global MPS Card**

The Global MPS (GMPS) cards form a “star” point for the Local MPS cards. The GMPS provides the same functionality as the LMPS card, but takes 5MHz optical inputs as the interlocks. Each card produces 4 permit outputs as optical signals.

**The RF/Dipole Interface Card**

The interface from the GMPS to RF amplifiers and dipole power supply is provided by the MPS decode module. The 5 MHz event stream is detected to provide a logic level, which is made available as a relay clean contact, opto coupled and TTL output.

A variant of this decode module provides logic functionality to cascade the Vessel Protection interlock from the RF amplifier to the Dipole power supply. This is to address the possibility that an attempted switch-off of the RF amplifier fails to dump the beam. In this case, the failure to dump the beam is detected, causing the MPS signal to the SR dipole to be removed. To date this variant has not been implemented.

**The PLC Subsystem**

The PLC subsystem uses OMRON CJ1 & CJ2 PLC hardware [4] integrated into a customised chassis. The decision to encapsulate the PLC into crates was taken to provide an element of future-proofing, as the PLC inside the chassis can be upgraded to keep up with advances in technology, whilst maintaining the same plant interface. It also helps maintain consistency of layout and simplicity of construction of control system cabinets. Using a standard 3U 19” crate for the PLC encapsulation with defined I/O interfaces has further enabled consistent I/O assignment and rapid on-site commissioning. An example of this is shown in Figure 2.

Vessel thermal protection is realised using a PLC crate for monitoring slow interlocks associated with water flow and temperature of the vessel and other components. This can monitor 432 digital inputs and 288 Thermal inputs, and provides 96 local permits, which connect in to the LMPS or direct to local PSUs.

Variations of the PLC subsystem have been realised for thermal protection, for control of vacuum valves, and for ID gap and Gas Bremsstrahlung protection. In all cases they build on the same hardware components, the same
software components and the same interface to the control system, thereby ensuring good standardisation.

Figure 2: PLC sub system for control vacuum valves.

Communication

Communication between EPICS and the Omron PLC’s associated with the MPS is realised using the Omron FINS protocol over a standard serial connection. This allows reading from and writing to single registers or block registers, where registers can be data memory or I/O locations (writing to direct I/O was disabled).

Summary of Implementation of MPS on the SR & Booster MPS

The storage ring (SR) MPS is structured as two circuits: vessel protection and dipole magnet protection. For each circuit the GMP module receives 24 permits from LMPS modules, one per cell of the SR. The LMPS modules each receive permits from the local PLC module for that cell. For the vessel permit, there are also interlocks from the photon front-end PLC systems and from the photon beamlines. This is shown in Figure 3.

The booster MPS is structured as four circuits: vessel protection, dipole magnet protection, F-quad protection, and D-quad protection. For each circuit the GMP module receives 4 permits from LMPS modules, one per quadrant of the Booster SR. The Local MPS modules each receive permits from the local PLC module for that cell.

Figure 3: Beamline/Front end connection.

PLC Software

Diamond has structured the PLC ladder logic in such a way as to provide a standard set of drivers for all applications that were deemed likely. The code is structured to ensure that the software engineer, when integrating the unit into a system, has to follow the same pattern regardless of where the system is being used, and what it is being used for. This is to permit easy interpretation and fault finding, and to allow additions to be made to that system by other engineers.

The standard programme structure is broken down into a number of sections for housekeeping (where revision control, hours run and watchdog operation are managed), input conditioning, interlock chains, device drivers, power-supply unit enables and interlock forwarding. Generally only the interlock logic section and the interlock forwarding need any adjustments to suit the location.

CONTROL SYSTEM INTERFACE.

EPICS provides the user interface to the MPS system. An EPICS driver communicates with the MPS card via a Hytec 8001 64-bit digital I/O board with modified firmware. This allows the reading of the state of the 32 inputs and 32 jumpers directly and previously unused bits in the 8001’s control and status register indicate the interlock state and provide the means to generate a reset signal to enable the interlock. The system also allows each permit to be dropped as part of the start-up testing after a shutdown. An overview of the whole system is presented to the operator which shows the status of the global permits. It is then possible to drill into the LMPS via the IOC crate in which it is based. It is further possible to see the status of each individual input on a PLC via the serial link between the PLC and the IOC.

PERFORMANCE

In terms of performance, the most critical requirement is the dumping of the electron beam to protect the vacuum vessel. This has been measured as ~600 μsec and is the sum of:-

- BPM detection delay ~200 μsec,
- Delay between BPM output from Global vessel permit ~250 μsec,
- Delay of GMPS OP through RF amplifier and cavity to beam dump. ~ 150 μsec.

OPERATIONAL EXPERIENCE

The system has proven to be very easy to commission and allows good scope for expansion as upgrades to the storage ring are carried out. By using the modular approach, commissioning could be carried out in isolation on each section as it was completed. This was particularly useful to DLS as the SR was not completed in consecutive sections.

Many of the interlocks for the MPS originate within the CIA, and because all of the field wiring is brought back into the MPS rack, a lot of the initial fault finding could be carried out without the need for vault entry. This saved
time and reduced disruption during the machine commissioning phase.

Occasional problems with spurious tripping that did not give an event record were an issue that has prompted a redesign of the LMPS for the reasons described below.

FUTURE DEVELOPMENTS

Post Mortem Buffer

The arrangement of latching the failed interlock is supposed to capture the first interlock to be lost, thereby diagnosing the original cause of the beam loss. On a beam loss, the beam position interlocks activated within the clock window are also latched along with the true first interlock. If the first interlock is a non-position interlock, it will come up along with all the beam position interlocks and so can be identified. Also, if the first interlock is a position interlock, the post mortem in the Libera BPMs provides clear information as to the cause. However, this falls down in the event of a spurious interlock from a BPM, or from a LMPS to the GMPS module. The latter caused a series of false beam dumps due to inadequate transmission power between the LMPS and the GMPS module and reduction of optical output with aging of transmitters, so that spurious failures of interlocks were registered by the GMPS. The originating LMPS module was only identified by monitoring the decoded inputs to the GMPS with a logic analyser. This has resulted in a redesign of the GMPS to add post-mortem capability, and improved transmitter power on LMPS modules to ensure an adequate optical budget.

Remote IO PLC

For the next phase of photon beamlines a new generation of Omron PLCs has been selected. These have enabled the adoption of Remote IO and an Ethernet interface between the control system and the PLC. Remote I/O provides a way of reducing cabling complexity and improving flexibility on deploying I/O into the field. RIO uses standard Ethernet cabling and Profinet, and RIO modules are built up into standard junction boxes, one for thermal monitoring and another for general purpose I/O. The Remote I/O does not perform any logic on any of the signals; it simply acts as a receiver and passes everything back to the PLC crate. This necessitates configuration of RIO output modules such that in the event of failure of RIO communication I/O fails to the safe state. The PLC logic is protected by a watchdog timer to protect against failures in communication with RIO.

The new PLC CPU (CJ2M) has a built-in Ethernet connection which allows both EPICS and the programming software to share the connection. EPICS communication is handled over UDP using FINS protocol whilst programming is realised over TCP/IP.

CONCLUSION

In summary the DLS Machine Protection system is modular in structure which has facilitated deployment and maintainability. It has met its design specification for shutdown time and has proven its worth on a number of occasions when there have been vacuum incidents or localised increases in heat due to cooling problems.

REFERENCES