R&D ERL: Machine Protection System

Zeynep Altinbas

Collider-Accelerator Department
Brookhaven National Laboratory
Upton, NY 11973

Notice: This document has been authorized by employees of Brookhaven Science Associates, LLC under Contract No. DE-AC02-98CH10886 with the U.S. Department of Energy. The United States Government retains a non-exclusive, paid-up, irrevocable, world-wide license to publish or reproduce the published form of this document, or allow others to do so, for United States Government purposes.
INTRODUCTION

The Machine Protection System (MPS) is a device-safety system that is designed to prevent damage to hardware by generating interlocks, based upon the state of input signals generated by selected sub-system. It exists to protect key machinery such as the 50 kW and 1 MW RF Systems. When a fault state occurs, the MPS is capable of responding with an interlock signal within several microseconds. The Machine Protection System inputs are designed to be fail-safe. In addition, all fault conditions are latched and time-stamped.

HARDWARE

The MPS runs on a programmable automation controller called CompactRIO (Compact Reconfigurable Input Output). The National Instruments CompactRIO is an advanced embedded control and data acquisition system designed for applications that require high
performance and reliability. This small sized, rugged system has an open, embedded architecture which allows developers to build custom embedded systems in a short time frame.

The National Instruments CompactRIO 9074

The National Instruments CompactRIO device that is used for the MPS is an NI cRIO 9074. The cRIO 9074 is an 8-slot chassis with an integrated real-time processor and an FPGA. The embedded real-time processor is a 400 MHz Freescale MPC5200 that runs the WindRiver VxWorks real-time operating system. The FPGA is a Xilinx Spartan 3 with 2 million gates (46,080 logic cells) and 720 KB embedded RAM. The cRIO 9074 also features a 256 MB nonvolatile memory. CompactRIO combines an embedded real-time processor, a high-performance FPGA and hot-swappable I/O modules to form a complete control system. Each module is connected directly to the FPGA and the FPGA is connected to the real-time processor via a high-speed PCI bus.

ERL critical sub-systems such as the RF system require the MPS to respond on a microsecond scale. High-speed I/O modules were chosen to meet the necessary timing requirements. The MPS currently uses three of these I/O modules: a 32-channel 24V input module, an 8-channel TTL input-output module, and a 4-channel SPST relay output module. The 24V module has sinking digital inputs with 7 µs response time, and the TTL module has digital inputs and outputs with 100 ns response time.

1 Image courtesy of National Instruments
SOFTWARE

The MPS interface is written in LabVIEW (Laboratory Virtual Instrumentation Engineering Workbench). LabVIEW is a graphical programming environment used to develop measurement, test, and control systems utilizing graphical icons and wires that resemble a flowchart. The National Instruments CompactRIO platform requires two different LabVIEW software modules corresponding to the System’s interface, one for the Real-Time processor and one for the FPGA. These modules contain custom functions specific to the Real-Time processor or the FPGA in addition to all the functionalities of the standard LabVIEW module.

The code for both the Real-Time processor and the FPGA is developed on a host computer. The program for the FPGA is developed by using a standard LabVIEW software module. The LabVIEW FPGA code is then converted to VHDL code and compiled using the Xilinx tool chain. The program for the Real-Time processor is also developed by using a standard LabVIEW software module. When ready, the code for the Real-Time processor and the FPGA is downloaded to the CompactRIO device via Ethernet. Once the code is downloaded, the CompactRIO can run in a stand-alone mode, or communicate directly with a host via Ethernet.

Running directly on the cRIO platform, the MPS interface accepts the various input signals and generates any necessary interlocks. An interlock is generated when a logic high (fault) at the input is seen. (If a cable is disconnected or broken, an internal pull-up ensures the System will generate an interlock. Exception is given to the RF sub-system which provides high-level inputs due to equipment constraints. These inputs are inverted within the LabVIEW FPGA.) If one of the continuously polled input levels change to high (indicating a fault), the fault is latched, and the time of the event is recorded using a 32-bit LabVIEW tick counter function. This provides a microsecond time stamp. The MPS interface also provides the capability to enable and disable inputs. Enabled and latched inputs are then combined and passed to other critical systems as interlocks. The input latches are cleared only after a software reset has been issued.

Operators communicate to the MPS interface using the main ERL server. Operators have the ability to enable/disable individual system inputs, clear latches via a reset button, and check the overall system status. The Real-Time processor code performs a handshake with the main server to ensure connectivity. National Instruments also provides web server capability which allows the developer to monitor and control the system remotely, avoiding interaction with the ERL main server.
**EXISTING SYSTEM**

The original ERL MPS was implemented and tested during the Cold Emission Test. In this configuration, the MPS had nine sub-system inputs and four outputs. As per the requirements, each sub-system provided either a TTL level or normally open dry contact. All the inputs are latched when a fault occurs, and the fault time is recorded. This information is displayed by the MPS interface until the reset button is selected in an attempt to clear latched inputs. If the fault condition is still present, the appropriate latch maintains the interlock status. When the MPS turns on initially, the same reset button is used to establish a connection and inform the hardware that the sub-systems are ready to be monitored. This practice is utilized in order to prevent the MPS from starting prematurely in the case of a power-loss. The interface also has two indicators derived from the outputs, to display the status of the critical sub-systems. The System response time is 3-4 µs.

The MPS communicates with the ERL main server by sending data every 10 minutes, or every time a value changes.

The existing CompactRIO chassis is populated with 3 I/O modules. It has the following I/O spares: 1 TTL level input, 2 TTL level outputs, 28 24V inputs, and 2 relay channels. However, the
MPS hardware can be expanded by installing more I/O modules into the 5 available slots in the cRIO chassis.

It is projected that there will be approximately 15 more inputs required to be routed through the MPS for the upcoming test of ERL. In addition to its current I/O, the MPS can have up to 5 more 24V or TTL level I/O modules.