

National Spherical Torus Experiment

# NSTX CENTER STACK UPGRADE

# Coil Protection System Requirements Document

# NSTX\_CSU-RQMT-CPS-159

**Revision** 0

January 30, 2012

Prepared By:

Charles Neumeyer NSTX Project Engineering Manager

Approved By:

Larry Dudek NSTX Center Stack Upgrade Project Manager

## NSTX CPS REQUIREMENTS DOCUMENT

## **RECORD OF CHANGES**

| Revision | Date    | Description of Change |  |  |
|----------|---------|-----------------------|--|--|
| 0        | 1/30/12 | First Issue           |  |  |
|          |         |                       |  |  |
|          |         |                       |  |  |
|          |         |                       |  |  |

## NSTX CPS REQUIREMENTS DOCUMENT

## TABLE OF CONTENTS

| 1 | Introduction                       |        |                                                  |    |  |
|---|------------------------------------|--------|--------------------------------------------------|----|--|
| 2 | System E                           | 2      |                                                  |    |  |
|   | 2.1                                | Existi | ng System                                        | 2  |  |
|   | 2.2 New System                     |        |                                                  | 4  |  |
| 3 | Elements of Coil Protection System |        |                                                  | 6  |  |
|   | 3.1                                | Digita | al Coil Protection (DCP)                         | 6  |  |
|   |                                    | 3.1.1  | Determination of State                           | 7  |  |
|   |                                    | 3.1.2  | Signal Processing                                | 7  |  |
|   |                                    | 3.1.3  | Computation of Prospective Future Current States | 8  |  |
|   |                                    | 3.1.4  | Computation of Limit Variables                   | 11 |  |
|   |                                    | 3.1.5  | Faults                                           | 13 |  |
|   |                                    | 3.1.6  | Interface with NSTX EPICS and Data Acquisition   | 14 |  |
|   |                                    | 3.1.7  | Local Interface and Tools                        | 14 |  |
|   | 3.2                                | PSRT   | °C                                               | 14 |  |
|   |                                    | 3.2.1  | Determination of State                           | 15 |  |
|   |                                    | 3.2.2  | Signal Processing                                | 15 |  |
|   |                                    | 3.2.3  | Computation of Prospective Future Current States | 16 |  |
|   |                                    | 3.2.4  | Computation of Limit Variables                   | 16 |  |
|   |                                    | 3.2.5  | Faults                                           | 17 |  |
|   |                                    | 3.2.6  | Interface with NSTX EPICS and Data Acquisition   | 17 |  |
|   |                                    | 3.2.7  | Local Interface and Tools                        | 17 |  |
|   | 3.3                                | Water  | r Systems PLC (WSPLC)                            | 17 |  |
|   | 3.4                                | Pulse  | Duration Period (PDP) Timer                      | 18 |  |
| 4 | 4 System Performance Requirements  |        |                                                  | 19 |  |
|   | 4.1                                | Time   | Response                                         | 19 |  |
|   | 4.2                                | Accur  | racy                                             | 19 |  |
|   | 4.3                                | Settin | gs Criteria                                      | 19 |  |
|   | 4.4                                | Reliat | bility                                           | 20 |  |
|   |                                    | 4.4.1  | Fault Tree Analysis                              | 20 |  |
|   |                                    | 4.4.2  | Single Point Failure Criteria                    | 22 |  |
| 5 | 5 Development Tools                |        |                                                  |    |  |
| 6 | Operations Guidance                |        |                                                  | 23 |  |
|   | 6.1 Scenario Development           |        |                                                  | 23 |  |
|   | 6.2 Repetition Period              |        |                                                  | 23 |  |

## 1 Introduction

NSTX implemented coil current measurements and protection using legacy equipment from TFTR which provided basic functions appropriate for the mission.

Currents were measured by DC Current Transducers (DCCTs) in various circuit locations, sometimes measuring branch currents, sometimes total coil currents, with varying bus link polarity dependencies.

Individual coil currents were limited by in terms of magnitude, duration,  $\int i^2(t)dt$ , and repetition period by the following devices:

- Power Supply Real Time Controller (PSRTC) software
- Rochester Instrument Systems (RIS) hardware
- Analog Coil Protection (ACP) hardware
- Pulse Duration and Period (PDP) hardware
- Water Systems PLC (WSPLC) hardware

The NSTX Center Stack Upgrade (NSTX\_CSU) project expands the NSTX operational space and requires a more sophisticated approach to account for the following effects.

- structural stresses arising from coil current combinations and coil conductor heating
- PF coil temperature ratcheting

Per the General Requirements Document (GRD) a new Digital Coil Protection (DCP) device is required for NSTX\_CSU to advance the level of sophistication.

The requirements given herein for the integrated Coil Protection System (CPS) cover the following changes to meet the needs of the NSTX\_CSU:

- addition of DCP
- elimination of RIS and ACP
- modification of PDP to cover longer pulse length and repetition period
- modification of WSPLC and related measurements to cover all PF coils
- addition of DCP algorithms to PSRTC
- reconfiguration the DCCTs to provide total coil currents to DCP and PSRTC
- protection for all 14 NSTX CSU coil circuits, except RWM (not in CPS scope)
  - TF
  - OH

1

- PF1AU and PF1AL
- PF1BU (new) and PF1BL
- PF1CU (new) and PF1CL (new)
- PF2U and PF2L
- PF3U and PF3L
- PF4
- PF5

## 2 System Block Diagram

#### 2.1 Existing System

A block diagram of the existing system is given in Figure 1.





Coil currents are measured by "control" and "protection" DCCTs where (per the TFTR basis) the former have a slightly greater accuracy than the latter. The original DCCTs were all manufactured by Halmar Electronics (now DynAmp<sup>1</sup>) based on the "zero flux" principle. Later on, shunts were implemented for some of the measurements along with other types of devices including the latest fiber optic current sensor (FOCS) technology<sup>2</sup>. All of these signals are fed to a "Halmar Signal Conditioner" (HSC) system which buffers, filters, and fans out the signals with 5 outputs per input.

ACP units monitor a subset of the HSC outputs, providing magnitude, duration,  $\int i^2(t)dt$ , and repetition period protection.

A subset of the DCCT signals go to the RIS which provides magnitude and  $\int i^2(t)dt$  protection. Comparison of a subset of the control and protection DCCTs is also accomplished at the RIS.

The distribution of DCCTs and their usage is given in Table 1. Rows highlighted in yellow represent total coil currents whereas those not highlighted represent branch current measurements. DCCT with "MN1" or "MN2" in their name are "control" type whereas those with "CTD" are "protection" type. Shunts include "SHUNT" in their names.

|            |                 |                 |       | RIS            | ACP    |
|------------|-----------------|-----------------|-------|----------------|--------|
|            | #1 (Control)    | #2 (Protection) | PSRTC | OC/I2T/Compare | OC/PDP |
| PF1AU-BR1  | EEF4-MN1-XT1-I  |                 | х     |                |        |
| PF1AU-BR2  | PF1AU-MN1-XT1-I |                 | х     |                |        |
| PF1AU      | PF1AU-CTD-XT1-I | PF1AU-CTD-XT2-I |       |                | Х      |
| PF1AL-BR1  |                 |                 | х     |                |        |
| PF1AL-BR2  | PF1AL-MN1-XT1-I |                 | х     |                |        |
| PF1AL      | EFVC-MN2-XT1-I  | EFVC-CTD-XT1-I  |       |                | х      |
| PF1BL      | EEF1-MN1-XT1-I  | EEF1-CTD-XT1-I  | Х     |                | х      |
| PF2U       | EOH5-CTD-XT1-I  | EOH5-SHUNT-1    | Х     |                | х      |
| PF2L       | EOH3-CTD-XT1-I  | EOH3-SHUNT-1    | Х     | Х              | Х      |
| PF3U-BR1   |                 |                 |       |                |        |
| PF3U-BR2   | EOH2-MN2-XT1-I  |                 |       |                |        |
| PF3U-Total | EOH2-CTD-XT1-I  | EOH2-SHUNT-1    | Х     | Х              | х      |
| PF3L-BR1   |                 |                 |       |                |        |
| PF3L-BR2   | EOH4-MN2-XT1-I  |                 |       |                |        |
| PF3L-Total | EOH4-CTD-XT1-I  | EOH4-SHUNT-1    | Х     | Х              | х      |
| PF4        | EPF4-MN1-XT1-I  | EPF4-CTD-XT1-I  | Х     |                | х      |
| PF5        | EOH6-CTD-XT1-I  | EOH6-SHUNT-1    | Х     |                | х      |
| OH-BR1     | ETF2-MN1-XT1-I  | ETF2-CTD-XT1-I  | х     | х              | х      |
| OH-BR2     | ETF2-MN3-XT1-I  | ETF2-CTD-XT2-I  | х     | х              | х      |
| TF-BR1     | ETF1-MN1-XT1-I  | ETF1-CTD-XT1-I  | х     | х              | х      |
| TF-BR2     | ETF1-MN2-XT1-I  | ETF1-CTD-XT2-I  | х     | Х              | x      |
| TF-BR3     | ETF1-MN3-XT1-I  | ETF1-CTD-XT3-I  | х     | х              | x      |
| TF-BR4     | ETF1-MN4-XT1-I  | ETF1-CTD-XT4-I  | x     | х              | x      |

Table 1 – Existing DCCT Distribution and Usage

<sup>&</sup>lt;sup>1</sup> http://www.dynamp.com/

<sup>&</sup>lt;sup>2</sup> http://www.abb.com/product/seitp322/87658a38b941842dc1256f480034c11c.aspx

In the existing system the WSPLC receives the status of flow switches on the outlet cooling water lines of all flow paths as well as outlet water temperature from the OH cooling paths and a few PF cooling paths. The WSPLC blocks the FCPC "Power Supply Permissive" signal via the "PAUX" relay unless the OH outlet water falls below a temperature set-point which is coordinated with the  $\int i^2(t) dt$  settings and repetition period<sup>3</sup>.

## 2.2 New System

A tentative block diagram of the new system is given in Figure 2. As the CPS design is developed it may be necessary to modify the block diagram as required to meet the requirements, e.g. for accuracy or reliability.



Figure 2 – New Arrangement of Power Supplies, Control, and Coil Protection Devices

Compared to the existing system, in the revised system:

<sup>&</sup>lt;sup>3</sup> "Study Of OH Coil Cooling vs. Rep Rate", C. Neumeyer, 71\_000222\_CLN\_01

- RIS and ACP are replaced by DCP
- All total current DCCT signals are routed to the DCP and HSC
- Plasma current Ip is fed to the DCP
- Triggers derived from the facility clock are fed to the DCP to establish the pulse window
- PSRTC-PCS communication becomes bi-directional (future option)
- PDP is modified to longer pulse duration and repetition period range
- Outlet water temperature from all PF coils is measured and monitored by the WSPLC
- WSPLC is replaced with a modern unit and the logic and I/O modified to control the PAUX based on the OH and PF outlet water temperatures

Although Figure 2 shows the DCP located in the Junction Area, this is not a requirement. It can be located in FCPC if more convenient and cost effective.

The new DCCT distribution and usage is given in

Table 2.

## Table 2 – New DCCT Distribution and Usage

|            | #1 (Control)    | #2 (Protection) | PSRTC | DCP |
|------------|-----------------|-----------------|-------|-----|
| PF1AU-BR1  | EEF4-MN1-XT1-I  |                 |       |     |
| PF1AU-BR2  | PF1AU-MN1-XT1-I |                 |       |     |
| PF1AU      | PF1AU-CTD-XT1-I | PF1AU-CTD-XT2-I | х     | x   |
| PF1AL-BR1  |                 |                 |       |     |
| PF1AL-BR2  | PF1AL-MN1-XT1-I |                 |       |     |
| PF1AL      | EFVC-MN2-XT1-I  | EFVC-CTD-XT1-I  | х     | X   |
| PF1BU      | Future          | Future          | х     | x   |
| PF1BL      | EEF1-MN1-XT1-I  | EEF1-CTD-XT1-I  | Х     | X   |
| PF1CU      | Future          | Future          | х     | x   |
| PF1CL      | Future          | Future          | х     | x   |
| PF2U       | EOH5-CTD-XT1-I  | EOH5-SHUNT-1    | х     | X   |
| PF2L       | EOH3-CTD-XT1-I  | EOH3-SHUNT-1    | х     | x   |
| PF3U-BR1   |                 |                 |       |     |
| PF3U-BR2   | EOH2-MN2-XT1-I  |                 |       |     |
| PF3U-Total | EOH2-CTD-XT1-I  | EOH2-SHUNT-1    | х     | X   |
| PF3L-BR1   |                 |                 |       |     |
| PF3L-BR2   | EOH4-MN2-XT1-I  |                 |       |     |
| PF3L-Total | EOH4-CTD-XT1-I  | EOH4-SHUNT-1    | х     | X   |
| PF4        | EPF4-MN1-XT1-I  | EPF4-CTD-XT1-I  | х     | X   |
| PF5        | EOH6-CTD-XT1-I  | EOH6-SHUNT-1    | х     | X   |
| OH-BR1     | ETF2-MN1-XT1-I  | ETF2-CTD-XT1-I  |       |     |
| OH-BR2     | ETF2-MN3-XT1-I  | ETF2-CTD-XT2-I  |       |     |
| OH-Total   | Repositioned    | Repositioned    | х     | X   |
| TF-BR1     | ETF1-MN1-XT1-I  | ETF1-CTD-XT1-I  |       |     |
| TF-BR2     | ETF1-MN2-XT1-I  | ETF1-CTD-XT2-I  |       |     |
| TF-BR3     | ETF1-MN3-XT1-I  | ETF1-CTD-XT3-I  |       |     |
| TF-BR4     | ETF1-MN4-XT1-I  | ETF1-CTD-XT4-I  |       |     |
| TF-Total   | New             | New             | х     | X   |

## 3 Elements of Coil Protection System

## **3.1** Digital Coil Protection (DCP)

The DCP shall be comprised of various components and devices to accomplish input and output functions and to perform digital processing of the input data state at the start each of time step to determine the outputs to be issued at the end of each time step.

The DCP shall:

- Determine state (where states = pulse (P), and standby (S))
- Process incoming DCCT and Ip signals
- Compute prospective future current states
- Compute various Limit Variables (LV)
- Set fault status if LV(s) exceed allowable values or other anomalous behavior detected
- Provide interface with NSTX EPICS and Data Acquisition systems

• Provide local interface and tools for software upload, parameter upload, reset, and test

## 3.1.1 Determination of State

The DCP state shall be determined using the "SOP" and "EOP" events encoded in the NSTX facility clock along with adjustable input parameters for time durations to set the DCP transition time to/from the P and S states, referenced to SOP and EOP. It should be possible to set the transition from S to P state based on SOP + x and the transition from P to S state based on EOP + y where x and y are the adjustable inputs.

Maximum allowable P state duration and minimum allowable S state duration shall be adjustable input parameters. Faults shall be declared if these durations are violated due to mis-operation of the facility clock or related triggers (in other words, if the duty cycle is violated).

## 3.1.2 Signal Processing

## 3.1.2.1 Circuit Current DCCT Measurements

During all states, four input signals shall be received and processed for each coil current, two coming directly from the redundant DCCTs and two from the same sources after HSC processing. Signals shall be processed each time step as shown in Figure 3.



**Figure 3 – DCP Processing of DCCT Signals** 

Since the HSC signals are filtered, it may be appropriate for the DCP to provide digital filtering (not shown in Figure 3) of the raw input signals in order to achieve reliable comparisons. As a minimum

an offset subtraction shall be performed on each signal where the offset is computed as a simple moving average of the 100 most recent samples taken during the S state. Offsets shall be computed during the S state and subtracted during the P state. A fault shall be declared if an offset exceeds a limit value.

As shown in Figure 3 the first comparison shall be performed between the raw and HSC signals. During the S state this comparison shall be made without offset subtraction. During the P state this comparison shall be made after offset subtraction. The discrepancy limits shall be adjustable input parameters with separate sets of value for P and S states and separate sets of values for the two comparison steps. After each comparison step, "auctioneering" algorithms shall pick out the larger magnitude of the two redundant signals. The outcome of this process yields the basis for each coil current to be used in subsequent DCP algorithms.

#### 3.1.2.2 Plasma Current Measurements

For the plasma current Ip, there will be two input signals which shall be compared and auctioneered. An offset subtraction shall be performed on each signal where the offset is computed as a simple moving average of the 100 most recent samples taken during the S state. The offsets shall be computed during the S state and subtracted during the P state. In addition, a correction for pick-up from the OH and PF coils is required based on coefficients which shall be adjustable input values. A fault shall be declared if an offset exceeds a limit value or if the two signals differ by more than a limit value during any DCP state. A fault shall be declared if the auctioneered signal exceeds a limit value during the S state. Limits shall be adjustable input parameters.

## 3.1.3 <u>Computation of Prospective Future Current States</u>

This computation shall be performed during the P state.

## 3.1.3.1 Post-Disruption

Since the OH and PF coils are magnetically coupled to the plasma, their currents will shift during a plasma disruption event in such a way as to conserve linked flux. This is complex phenomenon which depends on plasma shape, position, current distribution, disruption rate, and the effect of passive structure which influences the time dependence and peak values of post-disruption OH and PF currents. In addition the power supplies will respond, but their influence on the transient peak is limited due to their inability to adjust their voltage during the short duration of the transient. In order to ensure that post-disruption conditions do not cause LVs to be exceeded, it is necessary to predict what the future state conditions would be, starting from the present state. The TF is not coupled (to any significant extent) the plasma or OH and PF circuits so it is excluded from this calculation (i.e. [I'] = [I]).

#### 3.1.3.1.1 Flux Conservation Method

A flux-conserving adjustment is made to the coil currents based on the assumption that the plasma disruption occurs so fast that the resistive losses contributing to voltage drops in coil circuits during the disruption can be ignored<sup>4</sup>. Then currents during the voltage transient obey the following vector-matrix differential equation:

$$\begin{bmatrix} \underline{\underline{L}_{coils}} & \underline{\underline{M}_{pl-coils}} \\ \underline{\underline{M'}_{pl-coils}} & \overline{\underline{L}_{pl}} \end{bmatrix} \frac{d}{dt} \begin{bmatrix} \underline{I}_{coils} \\ \underline{I}_{pl} \end{bmatrix} = 0$$

Here, the matrix on the left is the full mutual inductance matrix [M] but subdivided into coil and plasma parts. Note also the absence of resistance terms; this makes it possible to integrate the differential equation in closed form over the time interval of the plasma disruption, obtaining the following:

$$\begin{bmatrix} \underline{\underline{L}_{coils}} & \underline{\underline{M}_{pl-coils}} \\ \underline{\underline{M'}_{pl-coils}} & \underline{\underline{L}_{pl}} \end{bmatrix} \begin{pmatrix} \begin{bmatrix} \underline{I}_{coils} \\ I_{pl} \end{bmatrix}_{after} & -\begin{bmatrix} \underline{I}_{coils} \\ I_{pl} \end{bmatrix}_{before} \\ disruption \end{pmatrix} = 0$$

The first n-1 lines of this n x n equation can be rewritten as follows while the last line corresponding to the plasma is henceforth ignored.

$$\underline{\underline{L}_{coils}}\left(\underline{I}_{coils}^{after} - \underline{I}_{coils}^{before}\right) + \underline{\underline{M}}_{pl-coils}\left(\underline{I}_{pl}^{after} - \underline{I}_{pl}^{before}\right) = 0$$

Since the postulated plasma disruption is assumed to completely extinguish the plasma current, the remaining terms are solved for the change in coil currents as follows:

$$\underline{I}_{coils}^{after} = \underline{I}_{coils}^{before} + \left[\underline{\underline{L}_{coils}}\right]^{-1} \underline{\underline{M}}_{pl-coil} I_{pl}^{before}$$

This formula provides fixed coefficients calculated directly from the inductance matrix to multiply by the initial pre-disruption plasma current in order to determine the disruption-induced increments to each coil current. The coefficients are in matrix [P] as follows:

<sup>&</sup>lt;sup>4</sup> "Coil Protection Current Transients", R. Woolley, 13-270410-RDW-01, 27 April 2010

$$\underline{P} = \left[\underline{\underline{L}_{coils}}\right]^{-1} \underline{\underline{M}}_{pl-coil}$$

Thus the current shift is obtained by the vector multiplication [P] times the plasma current prior to the disruption.

Summarizing, the future state post-disruption currents [I'] are calculated from the present state currents [I] based on the multiplication of vector [P] times the plasma current. This computation shall be performed every time step during pulses but is not required between pulses.

$$\begin{bmatrix} I' \end{bmatrix} = \begin{bmatrix} I \end{bmatrix} + \begin{bmatrix} P \end{bmatrix} I_P$$

Note that [P] depends on the mutual coupling to the OH and PF coils and if any of those coils are open-circuited then they do not interact in the transient and [P] must be modified. Therefore [P] should be an adjustable input. Alternately the in/out (lockout) status of the various OH and PF coils could be an input and the [P] matrix could be computed from [M] inside the DCP, or looked up from pre-established tables, (but not in real-time), depending on lockout status. In either case, a method needs to be developed, either automatic or administrative, to ensure that the [P] matrix matches the state of the bus links and disconnect switches in the OH and PF Safety Disconnect Switch (SDS) systems.

Since the [P] matrix depends on the mutuals [M] between coils and plasma, the result will differ for differing plasma models<sup>5</sup>. Initially, the plasma shall be modeled as a circular, constant current density conductor on the mid-plane. Future work may provide a refined model taking into account plasma shape, non-uniform current density, and plasma motion. *Whatever plasma model is used, it must be used consistently for all mutual inductance and influence matrix calculations and input data*.

## 3.1.3.1.2 Advanced Method

The flux conservation method does not account for the beneficial effects of the passive structure in reducing the post-disruption current shifts. A computationally efficient method<sup>6</sup> to accomplish this is under development and should be considered for future implementation.

<sup>&</sup>lt;sup>5</sup> "CSU Plasma Model Comparison", R. Hatcher, February 21, 2011

<sup>&</sup>lt;sup>6</sup> "Digital Coil Protection System Algorithms for the NSTX Centerstack Upgrade", R. Woolley et al, Proceedings of 24th SOFE

#### 3.1.3.2 Post-Fault State

It is assumed that, following a Level 1 fault, no significant overshoots in coil currents will arise due to mutual coupling during L/R decay. Therefore, no post-fault future state current prediction is required.

#### 3.1.4 Computation of Limit Variables

Limit Variables (LVs) are defined as quantities to be monitored by the DCP and, if limits are exceeded, a fault condition shall be declared. The DCP shall compute the limit variables each time step for the present state [I] and future state [I'] coil currents as applicable to the pulse state.

#### 3.1.4.1 Currents

In the S state the magnitude of the current [I] in each circuit shall be compared to a limit specified for each circuit as an input parameter applicable to the S state. In the P state the magnitude of the currents [I] and [I'] in each circuit shall be compared to a limit specified for each circuit as an input parameter applicable to the P state.

#### 3.1.4.2 Action Integrals

In the P state the "action integral" ( $\int i^2(t)dt$ ) shall be computed for each circuit based on [I] and compared to a limit specified for each circuit as an input parameter. The calculation shall include two parts. The first, designated [A], shall include the action accumulated since the start of the P state. The second, designated [A'], shall include the action which would follow due to a fault and subsequent decay of the current from the present state. The total action [A]+[A'] shall be compared to the aforementioned limit. The accumulated action [A] shall be reserved for use in computing other LVs (since it is proportional to conductor temperature rise). For each circuit, at time step k,

$$A_{k+1} = A_k + I_k^2 \Delta t$$
$$A_{k+1}' = \frac{I_k^2 \tau}{2}$$

where  $\Delta t$  is the DCP time step and  $\tau$  is the L/R time constant of the circuit based on the selfinductance and 20C resistance of the circuit. This is an approximation because the use of L ignores (except in the case of the TF) the mutual inductance effects and R is not varied with temperature. This could be improved in the future if desired with some additional computations but shall be calculated as described herein for the initial version.

The  $\int i^2(t) dt$  action integrals shall be reset to zero at the time of transition from the S to P states.

#### 3.1.4.3 Forces and Moments

In the P state the radial force Fr, vertical force Fz, and moment (torque) T shall be computed for selected coils based on the present state [I] and future state [I'] coil currents and compared to a limits specified for each selected coil as an input parameter. The selection of circuits to include and exclude from this calculation shall be an adjustable input parameter set along with the limits. For each coil "i" the value of X = Fr, Fz, or T is calculated using the same algorithmic form:

$$X_i = I_i \sum_j C_{i,j}^X I_j$$

where j = 1 to 14 (the range of coils) and  $C^{x}$  is the appropriate "influence matrix".

Whatever plasma model is used, it must be used consistently for all mutual inductance and influence matrix calculations and input data.

#### 3.1.4.4 Derived Limit Variables

In the P state the following additional LVs shall be derived from the currents, action integrals, forces, and moments described in previous sections, based on the present state [I] and future state [I'] coil currents, and compared to limits provided as adjustable input parameters.

#### Type 1:

Weighted sum of coil currents, action integrals, forces, and torques where i = 1 to 14 (the range of coils):

$$Y = \sum_{i} C_{i}^{I} I_{i} + C_{i}^{A} A_{i} + C_{i}^{Fr} Fr_{i} + C_{i}^{Fz} Fz_{i} + C_{i}^{T} T_{i}$$

Type 2:

Square root of sum of squares of Type 1 LVs.

$$Z = \sqrt{\sum_{n} Y_{n}^{2}}$$

## 3.1.5 <u>Faults</u>

Whenever the DCP detects a fault of any kind, the P state underway shall be completed until the trigger is received to transition to the S state, but future transitions to the P state shall not take place until the fault has been reset.

## 3.1.5.1 LV faults

In case any of the LV limits are exceeded a fault shall be declared for the effected circuit which in turn shall cause a Level 1 fault in the appropriate FCPC Hardwired Control System (HCS) control boards (CBD). There are four CBDs in FCPC, one associated with NSTX CSU TF (the TFTR TF1 CBD), one with OH (the TFTR TF2 CBD), and two with PF (the TFTR EF and OH CBD). For each LV the CBDs to fault shall be provided as adjustable input parameter set. Once a fault is declared the selected CBD Level 1 fault lines shall be set and latched in both hardware and software, awaiting reset, and the LV identifier, limit, and time of fault occurrence shall be saved and made available to the NSTX EPICS system.

## 3.1.5.2 Other faults

Features shall be included in the DCP hardware and software to detect DCP failures. In case of a DCP failure, all FCPC HCS CBD Level 1 fault lines shall be set in both software and hardware, awaiting reset. The same response shall result from a duty cycle violation as described in section 3.1.1.

## 3.1.5.3 Reset

The DCP software reset action shall require a key and a password and shall place the DCP into the S state. The hardware fault like reset shall be accomplished locally (not remotely through EPICS) and shall be secure, requiring a physical key.

## 3.1.5.4 Fault Output Interface

Each of the four Level 1 fault outputs shall include the following features:

- Open collector output to short the 125VDC parallel fault line in case of a fault
- Open collector output to open the 125VDC serial fault line in case of a fault
- Open collector output to indicate fault line status to an EPICS-monitored digital input module

A feature shall be included to override any combination of the four Level 1 fault outputs during testing. This feature shall be under secure key control and a T-mod shall be issued whenever it is invoked.

#### 3.1.6 Interface with NSTX EPICS and Data Acquisition

The interface with NSTX EPICS and Data Acquisition shall be implemented to provide operator information and troubleshooting capability but shall not include any direct linkage between the DCP digital processors and the NSTX Computer System. The four Level 1 fault line status shall be interfaced to digital input modules monitored by EPICS as noted in the preceding paragraph. The recorded fault data shall be output by the DCP and received by NSTX EPICS using a one-way digital link. As a minimum, all raw analog and digital raw inputs to the DCP shall be stored and communicable to the NSTX Data Acquisition System using a one-way digital link. The LVs shall be stored if possible within the capacity of the DCP device.

#### 3.1.7 Local Interface and Tools

A secure, key and password controlled local PC interface shall be provided for software upload, parameter upload, reset, and test. All Level 1 fault line interfaces to the FCPC HCS CBDs and EPICS shall be put into a fault state while these activities are underway.

An automated test capability shall be provided, via a separate external device, to generate patterns of coil current combinations, stepping one current at a time through a set of values while holding the others constant, and then repeating for each current, to confirm LV computations and fault response when limits are exceeded.

A test procedure shall be developed to confirm proper DCP operation after settings changes or any other intervention.

#### 3.2 PSRTC

PSRTC modifications to accommodate the upgrade shall include the incorporation of algorithms which are identical, to the greatest possible degree, to those implemented in the DCP. Administrative procedures shall be used to ensure that the input data files for parameters which are common to the PSRTC and DCP are identical. This will require subdivision of the existing PSRTC data into two parts, one with commonality to the DCP and another without.

The following is a description of the similarities and differences required with respect to the DCP requirements given in the prior section.

In addition to the above DCP-related items the coil temperature simulations as well as the "pole" (cable) simulations in the existing PSRTC, based on single thermal time constant models, shall be eliminated. They are not very accurate and are invalid in case the computer has to be restarted, because of loss of the time history of heating.

## 3.2.1 Determination of State

This functionality already exists in the PSRTC and can remain as-is.

#### 3.2.2 <u>Signal Processing</u>

#### 3.2.2.1 Circuit Current DCCT Measurements

Compared to the DCP, only two signals (instead of four) need to be processed for each circuit current. Offset subtraction as described for the DCP already exists in the PSRTC. As for the DCP, auctioneering shall be used to determine which signal shall be used for input to the DCP algorithms replicated in the PSRTC, but averaging shall be used to establish the signal to be used by the feedback controllers of PCS and PSRTC. Note that this is a change from the existing system which uses the auctioneered signal for all purposes. For the DCP protection function it is conservative to auctioneer and take the larger signal whereas for feedback control the average signal is the best predictor of the actual current. Signals shall be processed each time step as shown in Figure 4.

In the existing PSRTC, branch current signals are added to determine total current signals, whereas in the new version only total current signals will be input (refer to section 2.2). Therefore the features related to managing branch currents shall be deleted.



Figure 4 – PSRTC Processing of DCCT Signals

#### 3.2.2.2 Plasma Current Measurements

Same as DCP section 3.1.2.2. This will be a new feature for PSRTC which does not presently monitor plasma current.

## 3.2.3 Computation of Prospective Future Current States

Same as DCP section 3.1.3.

## 3.2.4 Computation of Limit Variables

Same as DCP section 3.1.4 except two limit levels shall be used for each LV. The first limit level shall be used to provide an alarm to PCS (as a future option) and shall not terminate the normal control of the circuit in question. The second limit level shall be used to set a fault condition per the

existing PSRTC logic, resulting in the suppress/bypass state for the circuit in question. As per the existing PSRTC fault logic, both of these features shall be on a per-circuit basis.

3.2.5 Faults

3.2.5.1 LV faults

Same as DCP 3.1.5.1 except there is no interface between PSRTC and the FCPC HCS CBD Level 1 fault systems.

3.2.5.2 PSRTC faults

Same as existing PSRTC functionality.

3.2.5.3 Reset

Same as existing PSRTC functionality.

3.2.5.4 Fault Output Interface

Same as existing PSRTC functionality.

3.2.6 Interface with NSTX EPICS and Data Acquisition

Same as existing PSRTC functionality.

3.2.7 Local Interface and Tools

Same as existing PSRTC functionality except that an automated test capability shall be provided to generate patterns of coil current combinations, stepping one current at a time through a set of values while holding the others constant, and then repeating for each current, to confirm LV computations and fault response when limits are exceeded. Test patterns may be generated via a test mode in software or via an external device as convenient. Note that this testing is not intended to replace the end-to-end testing of signal throughput via injection of DC voltage at each DCCT output, one at a time, per existing test procedures.

A test procedure shall be developed to confirm proper CPS aspects of PSRTC operation after settings changes or any other intervention.

#### **3.3** Water Systems PLC (WSPLC)

The existing NSTX WSPLC provides a variety of functions which control the status of the PAUX relay, whose contact is the logic of the FCPC HCS power supply permissive signals issued by the CBDs. This includes the monitoring of the 8 OH water cooling path outlet temperatures. A temperature set-point is coordinated with the "action integral" ( $\int i^2(t)dt$ ) setting on various coil protection devices along with the facility clock in such a way that:

- The power supply permissive (controlled by the WSRTC) is not issued until the temperatures fall below the set-point
- The coil temperatures will not exceed limits even if the power supplies deliver the full action to the coils within the action limit setting (in the PSRTC and RIS)
- The cool-down from maximum temperature to set-point temperature occurs within the facility clock repetition period, based on calculated cool-down rates<sup>7</sup>

The WSPLC and associated instrumentation shall be modified as follows:

- include all coil OH and PF water circuit outlet temperatures
- include TF water circuit outlet temperatures (optional)<sup>8</sup>
- include set-points as input parameters for each coil outlet water
- provide a signal to EPICS to allow monitoring of cool-down of each coil water circuit
- provide a test capability (under key and password control) to exercise the WSPLC logic and control of the PAUX relay based on combinations of coil water temperatures from a simulated source

A test procedure shall be developed to confirm proper WSPLC operation and control of the PAUX relay after settings changes or any other intervention.

## **3.4** Pulse Duration Period (PDP) Timer

The functionality of the existing PDP timer shall be retained, except that its capability for maximum pulse time and maximum inter-pulse time shall be increased to 10 seconds and 40\*60=2400 seconds, respectively.

<sup>&</sup>lt;sup>7</sup> "Study Of OH Coil Cooling vs. Rep Rate", C. Neumeyer, 71\_000222\_CLN\_01

A test procedure shall be developed to confirm proper PDP operation after settings changes or any other intervention.

#### 4 <u>System Performance Requirements</u>

#### 4.1 Time Response

For the PSRTC and DCP which detect faults and issue shutdown command to the power supplies (as compared to the other CPS devices which control the permissive) the lag between the time of fault occurrence and power supply shutdown has to be coordinated with the limit settings considering the fact that the limit variables will overshoot the limit settings. The main time lag for the PSRTC and DCP, implemented in digital processors, will be the interval between their discrete time updates (the time step). The nominal assumption for time step shall be 1mS. However, this parameter shall be evaluated and optimized considering the following issues:

- Overshoot should be minimized, favoring minimization of the time step
- Algorithms and input/output must be accomplished within the time step period
- PSRTC time step has to be coordinated with the needs of both control and protection

#### 4.2 Accuracy

The current measurements and algorithms related to the PSRTC and DCP have finite accuracy which needs to be factored into the limit settings, above and beyond whatever margins are included in the structural/mechanical design to account for uncertainties.

The most significant error term will arise from the simplification of the plasma disruption behavior as described in section 3.1.3.1. Analysis shall be performed, including a review of actual behavior during NSTX disruptions, along with other simulation and modeling, to characterize the limitations of the simplified model, to guide in the selection of limit settings, and to determine whether more complex models should be developed for future implementation. Similarly, the assumption concerning post-fault overshoot as described in 3.1.3.2 needs to be confirmed.

#### 4.3 Settings Criteria

To ensure that the limit variables do not exceed allowable values under any circumstances, the choice of settings must be made with consideration of finite time response and accuracy. In addition, multilevel settings shall be established as follows:

- PSRTC alarm setting PSRTC will inform PCS that a limit is being approached
- PSRTC fault setting PSRTC will cause suppress/bypass action in effected circuit
- DCP fault setting DCP will trigger Level 1 fault condition in effected systems

A procedure shall be established to guide the choice of settings for each limit variable (LV) such that:

- PSRTC alarm should allow enough time for the PCS to react such that, considering typical current derivatives during normal operation multiplied by the time step, the PSRTC LV fault setting is not exceeded
- PSRTC fault setting should include enough headroom below the DCP fault setting so that the overshoot due to typical current derivatives during normal operation multiplied by the time step, along with the overshoot due to suppress/bypass volt-seconds, the DCP LV setting is not exceeded
- DCP fault setting should include enough headroom below the allowable value of the LV so that the overshoot due to maximum current derivative multiplied by the time step, along with the overshoot due to suppress/bypass volt-seconds, the allowable LV setting is not exceeded

## 4.4 Reliability

## 4.4.1 Fault Tree Analysis

The reliability of the integrated CPS shall be consistent with the NSTX CSU requirements (section 3.5.5) which calls for a probability of failure less than  $10^{-4}$  per year, corresponding with the category "Extremely Unlikely Event" in which case "Facility damage may preclude returning to operation". To demonstrate that this requirement is satisfied a probabilistic fault tree analysis shall be performed based on the probability of failure to respond to a finite set of causal events associated with NSTX pulsing which would require intervention by the CPS. The analysis shall assume 3000 pulses per year, which translates to a failure probability limit of ( $10^{-4}$  failures per year) / (3000 pulses per year) =  $3.33 \times 10^{-8}$  per pulse.

Since NSTX typically runs for 12 weeks per year the number of hours to be used to assess component failure probabilities shall be 12\*7\*24 = 2016 hours per annual campaign.

The fraction of pulses which are "test shots" not under control of the Plasma Control System (PCS) shall be assumed equal to 5%.

The number of settings changes shall be assumed equal to 2 per week, total of 24 per year based on 12 run weeks.

As a minimum, the causal events listed in **Table 3** shall be considered in the analysis with tentative probability as indicated.

| Event                                                                       | Probability          |  |
|-----------------------------------------------------------------------------|----------------------|--|
| Reference signals from PCS call for operation outside allowable LV          | 0.1 per plasma pulse |  |
| envelope                                                                    |                      |  |
| Operator error in test shot set-up calls for operation outside allowable LV | 0.01 per test shot   |  |
| envelope                                                                    |                      |  |
| Facility clock SOP comes too soon or EOP comes too late due to hardware     | 0.001 per pulse      |  |
| failure or human error                                                      |                      |  |
| Failure of Transrex AC/DC converter firing pulse control in firing          | 0.001 per pulse      |  |
| generator(s) or PC Link                                                     |                      |  |
| Loss of cooling water flow to one or more flow paths                        | .001 per operating   |  |
|                                                                             | hour                 |  |
| Failure of administrative procedure to program correct CPS settings in any  | 0.01 per CPS         |  |
| one CPS device (DCP, PSRTC, PDP, WSPLC)                                     | settings change      |  |

| Table 3 – | Causal | <b>Events</b> | for | CPS | Fault | Tree | Analysis |
|-----------|--------|---------------|-----|-----|-------|------|----------|
|-----------|--------|---------------|-----|-----|-------|------|----------|

CPS devices to be considered in the fault tree analysis are indicated in magenta on Figure 5.



Figure 5 - CPS Devices to be Considered in Fault Tree Analysis

During the process of design development the fault tree analysis shall be performed to determine whether or not the CPS design meets the reliability requirement. If not then the design has to be revised to meet the requirement either by reducing failure probability of CPS devices or by adding redundancies.

## 4.4.2 Single Point Failure Criteria

In addition to the requirements derived from the fault tree analysis (section 4.4.1) there shall be no single point failure mode in the CPS, i.e. no single failure shall prevent the CPS from intervening in case of any of the causal events listed in **Table 3**. Note that single point failure modes can be avoided by redundancy and/or fail-safe design. With a fail-safe design either the failure mode itself results in the annunciation of a fault condition or sensors are included which detect the failure mode and annunciate a fault condition.

## 5 <u>Development Tools</u>

Tools (in XL, MATLAB, etc.) shall be provided with which the LV definitions and settings can tested against equilibria snapshots as well as time dependent scenarios.

#### 6 **Operations Guidance**

#### 6.1 Scenario Development

The PSRTC, operating in the simulation mode, shall provide the capability to pre-screen proposed experimental waveforms to confirm that they are compatible with LV definitions and settings. This shall include a plasma current waveform in order that the post-disruption current shifts can be simulated.

#### 6.2 Repetition Period

A database of repetition periods, in multiples of 180 seconds, up to a maximum of 2400 seconds, shall be developed, with cross reference to end-of-pulse temperature. The database entries shall include  $\int i^2(t)dt$  settings and start-of-pulse coil temperatures for each OH and PF coil such that, for each coil the end-of-pulse temperature is equal to the adiabatic temperature rise resulting from the  $\int i^2(t)dt$  setting added to the start-of-pulse coil temperature. The set of end-of-pulse temperatures shall be include values of 50,60,70,80,90, and 100C.

The database shall be developed using calculations which assume maximum inlet water temperature and minimum cooling path flow as enforced by the WSPLC and related instrumentation.