





# **NSTXU** Digital Coil Protection System Overview

#### **Timothy N. Stevenson**

Coll of Wm & Mary Columbia U CompX **General Atomics** FIU INL Johns Hopkins U LANL LLNL Lodestar MIT Lehigh U **Nova Photonics** ORNL PPPL Princeton U Purdue U SNL Think Tank. Inc. **UC Davis UC Irvine** UCLA UCSD **U** Colorado **U Illinois U** Maryland **U** Rochester

**U Tennessee** 

**U Washington** 

X Science LLC

**U Wisconsin** 

**U Tulsa** 

Princeton Plasma Physics Laboratory
NSTX Upgrade Project
Readiness for Operations Review
December 9-11, 2014



Culham Sci Ctr York U Chubu U Fukui U Hiroshima U Hyogo U Kyoto U Kyushu U Kyushu Tokai U **NIFS** Niigata U **U** Tokyo JAEA Inst for Nucl Res. Kiev loffe Inst TRINITI **Chonbuk Natl U NFRI** KAIST **POSTECH** Seoul Natl U **ASIPP CIEMAT FOM Inst DIFFER** ENEA, Frascati CEA, Cadarache IPP. Jülich IPP, Garching ASCR, Czech Rep

### Why DCPS?

- Plasma control system can direct power supplies to overload the machine structures
- TFTR era Power Supply capability can deliver coil overcurrent and overheating
- Structural solutions prohibitive and prohibitively expensive
- Previous analog overcurrent and I<sup>2</sup>t too limited and would require upgrade anyway
   So...
- Digital Coil Protection System envisioned:
  - Replaces previous analog and software coded limits
  - Updates to NSTXU coil set
  - Improves software architecture and code maintainability
  - Allows for more sophisticated and multiple types and instances of algorithms
  - Allows for auctioneering of currents for input checking
  - Upgrade Water System PLC (WSPLC)
  - Upgraded Pulse Duration & Period chassis (PDP)
  - Performs algorithms SoP to EoP (during the time window of a plasma shot)
  - Performs zero current checking EoP to SoP (non- shot interim)
  - Provides self-checking WatchDog Timer (WDT) to issue a fault if down
  - Provides Autotester for code and system testing
  - Provides Hardware User Interface for status, investigation, and reset of faults



### **Requirements for DCPS**

- NSTX CSU RQMT-CPS-159
- Protect the coils and machine from electromagnetic loads
- Read currents
- Perform Calculations called Algorithms
- Issue Level 1 Faults if fault conditions met shut down the power
- Watchdog Timer Fault if code hangs or computer quits
- Algorithms performed every 200 microseconds between SoP and EoP
- Detect non-zero currents EoP to SoP
- Do not fail high reliability
   So...
- Two parallel and redundant trails to travel but same core code
- DCPS real time computer in D site FCPC Junction Area
- DCPS code residing on PCS-SRV-1 in NSTX Control Room FCC
- Same response effect
  - DCPS-FCC fault turns off power supplies through real time control
  - DCPS-JA fault trips off power supplies through L1 fault system
  - WDT trips L1 fault



# **Two Independent Redundant Paths for DCPS Protection**





# Simplified Block Diagram for DCPS – 2 places





#### **Reviews for DCPS**

- NSTXU PDR, FDR, Office of Science Reviews
- Software CDR, PDR, FDR
- Hardware User Interface PDR, FDR
- Autotester Review
- Autotester Interface Chassis Review
- Real time Clock and Input Module (RCIM) Review
- Reconfigurable Timing Unit (RTU) Review
- Ip Calculator, PDP, WSPLC Reviews
- DCPS Code Review 5 days, 3+ hours each day
- PSRTC Software Review with imbedded DCPS integration
- Chits included in Project Chit Log per ENG-033 Design Verification procedure

### **DCPS Computer System Design**

- Concurrent computers with Opteron processors
- Concurrent RedHawk Linux OS based on Red Hat Linux 6
- C++11 programming language
- Object Oriented design following UML standards
- Commonly available I/O cards
  - Redundant coil currents (16 x2 each) and lp x2
  - Clock 5 kHz and clock events (SoP, EoP)
  - Analog and digital status signals
  - Output four L1 fault signals and Watchdog timer
- 200 microsecond cycle time on input data hard requirement
- Trade off massive memory use for deterministic cycle
- Memory log of data without risking cycle time





#### **DCPS Autotester**

AT is a useful utility on a stand alone computer with analog output cards programmed in LabView and used in FCC and Junction Area locations.



Before the test shot cycle, verify the Coil Waveform you set up.



Choose the timing for the clock events.

There are other panels similar to the above for setting up FCPC events such as the PDP Window and L1 Fault commands to the DCPS RT system.

Allows setup, synchronous clock and asynchronous clock operation with AT panel.



#### AT completed

Allows status and output code testing, algorithm testing with shot files

Also now used for **PSRTC** testing

# **DCPS Autotester Interface Panel completed**



Allows local testing of DCPS code with Autotester



## **Testing of DCPS code with Autotester**



Local code and AT testing began in FCC in Spring

Continued in Junction Area this summer

Then returned to FCC this Fall for remote testing

Well over 1500 test shots performed

Data archived and reviewed

Operator Log kept to track issues

Bugzilla used to collect punch list items



[ncs] Index of /dcps/trunk/src 11/24/14 6:14 PM

## DCPS code configuration control using SVN SRV

#### Index of /dcps/trunk/src



Files shown: 6

Directory revision: 5116 (of 5140) Sticky Revision: Set

| <u>File</u> ▲    | Rev.        | <u>Age</u>   | <u>Author</u> | Last log entry                                                                     |
|------------------|-------------|--------------|---------------|------------------------------------------------------------------------------------|
| t                |             |              |               |                                                                                    |
| Parent Directory |             |              |               |                                                                                    |
| Algorithms/      | <u>4660</u> | 3<br>months  | kerickso      | Update algorithms for the new store layout focusing o std::array over std::vect    |
| Data/            | <u>5029</u> | 12<br>days   | gtchilin      | Added svn version recording to mdsplus shot tree wit failure mode of unknown       |
| Monitor/         | <u>4370</u> | 5<br>months  | kerickso      | Merge in paramSplit branch to break apart parameter data into components that in   |
| NarameterData/   | <u>4660</u> | 3<br>months  | kerickso      | Update algorithms for the new store layout focusing of std::array over std::vect   |
| Security/        | <u>3575</u> | 10<br>months | kerickso      | Reintegrate logging_testing branch into dcps trunk                                 |
| SystemControl/   | <u>5031</u> | 12<br>days   | kerickso      | Make sure functions that can return do                                             |
| Tools/           | <u>5116</u> | 5 days       | gtchilin      | Added bugzilla info for the busted input parser                                    |
| 🗓 gui/           | <u>3174</u> | 13<br>months | slynch        | Put all the Gui stuff into the dcps::Gui namespace. I realized they were still i   |
| <u>Makefile</u>  | <u>5030</u> | 12<br>days   | kerickso      | Enable reordering warnings                                                         |
| buildbot.mk      | <u>4305</u> | 6<br>months  | kerickso      | Link to rt                                                                         |
| cpus.txt         | <u>3777</u> | 8<br>months  | kerickso      | Free up cpu 9 by processing the events on the same cpu that receives the events    |
| dcps.cpp         | <u>4370</u> | 5<br>months  | kerickso      | Merge in paramSplit branch to break apart parameter data into components that in   |
| dcps.h           | <u>3591</u> | 10<br>months | kerickso      | dcps.h has no need to include the thread library.<br>However, removing this reveal |
| main.cpp         | <u>4782</u> | 6<br>weeks   | gtchilin      | Just in case the builder doesnt have the synversion command                        |

OP-DCPS-779
will require the
appropriate
code version
and revision of
DCPS software
as part of
setup, startup,
and daily
operations.

http://svnsrv.pppl.gov/viewvc/ncs/dcps/trunk/src/

Page 1 of 2



### **DCPS Hardware Design**

- Fail safe
- Analog and digital signals
- <u>Hardware User Interface And Nexus Subsystem (HANS)</u>
  - Autotester mode and Real World mode key cards to avoid error
  - 8 32 channel Lemo interface panels
  - Interfaces defined and maintained with DCPS Data Dictionary
  - Level 1 fault channels issued to FCPC L1 series and parallel circuits
  - Drawings complete
  - Installation complete
  - PTPs complete & punch list items in progress
- First use of DCPS-JA will be with Rectifier Dummy Load testing
- Interface buffer chassis with DCPS FCC in progress

On pace for CD-4....



### **Board testing and Bench testing of DCPS Hardware completed**



PTP-DCPS-002 and PTP-DCPS-003



# Junction Area DCPS – Installation and testing completed



PTP-DCPS-003 and PTP-DCPS-004



#### Junction Area DCPS Hardware User Interface installed and tested



Keycards for Autotester mode and for Real World mode



### DCPS Junction Area – ready to roll

**HSCs** 

RTU

HUI

AIO/DIO

**DCPS AT computer** 

DCPS-RT1 computer

Data Server

**UPS** 



Interface testing in progress

First use of DCPS-JA will be in support of rectifier dummy load testing using OI and Pt limits

Experience will be gained with operability and operations protocols prior to ISTP and CD-4

### **DCPS FCC residing on PCS-SRV-1**



Redundant code using PCS inputs from FPDP data stream

Set slightly more restrictively than DCPS-JA to avoid L1

Same core code in both locations

DCPS core software testing completed

**DCPS PCS Integration in progress** 

Testing found OS kernal problem

Concurrent computer out for recovery

DCPS fcc running on "Warthog" for testing

On track for CD-4...



### Algorithms for DCPS code – so far...

- Basic Moment and Vertical and Radial Force per Coil
- Combined Vertical Force
- TF Shear Stress and Out of Plane Moment
- PF Bolt Stresses
- PF Hoop and Bending Stresses
- Local OH Stress
- Action Coil Heating (I<sup>2</sup>t) with appropriate margin for coil heating from fault
- Overcurrents (Derived Type I)
- Includes margin for effect of disruption and halo currents due to a VDE
   New:
- $T_{OH} > T_{TF}$  with copper heating corrections due to Aquapour-CTD-425
  - (in development for CD4)

### DCPS\_PARAMETER TREE sets parameters...

- New tree created for each new set of parameter data
- Each post-shot archive contains the DCPS\_param version used
- Data stored in a protected location
- Accessible by DCPS without a network switch
- Immutable within reasonable expectation
- Read-only to the outside world
- DCPS reads correct Param\_tree for each shot every shot
- Administratively controlled by OP-DCPS-779 setup and startup procedure daily and with any requested or required change...

From K. Erickson Code Review



### **Provenance of Algorithm Limits for DCPS**

- DCPS limits from Engineering Analysis or force/stress values from 96 scenarios
  - Documented in design and analysis calculations
- Machine qualified to operate all 96 GRD scenarios with nearly infinite variations within the protection envelope
- Much margin beyond the 96 scenarios in many cases
- Caveats:
  - PF3 bipolar dynamics and PF1A strikepoint control especially during VDE
  - Soft shutdown for off-normal plasma behavior being considered for PCS to avoid DCPS trips
- DCPS algorithms added to Designpoint Spreadsheet and checked/benchmarked against full spec shot and 96 scenarios
- DCPS C++ code mimiced in IDL with two years of NSTX operations data
  - Check loads, forces, stresses plotted against plasma current
- Evaluate and improve Test shots to avoid egregious operation of the machine

From Living with DCPS..., S. Gerhardt



# **Pre-Operational Test Procedures for DCPS**

| PTP-DCPS-001                           | Software Testing             | Approved                        | Done                 |
|----------------------------------------|------------------------------|---------------------------------|----------------------|
| PTP-DCPS-002                           | Board Bench Testing          | Approved                        | Done                 |
| PTP-DCPS-003                           | HUI Testing                  | Approved                        | Done                 |
| PTP-DCPS-004                           | Real World Testing           | Approved                        | In progress          |
| PTP-DCPS-005                           | Buffer Chassis Testing (New) | Working draft in progress       | Dry runs in progress |
|                                        |                              |                                 |                      |
| OP-DCPS-779 Ops Setup/Startup<br>Reset |                              | Working<br>draft in<br>progress | In<br>development    |



### **Software testing for DCPS**

#### Software PTP tests:

- Verification of input data stream
- Verification of DCPS input and output data calibration factor
- Timing and data acquisition system
- Interpretation of shot sequence signals
- DCPS code operation in asynchronous mode
- DCPS code operation in synchronous mode (facility clock)
- Algorithm verification using cleverly constructed input files
- Level 1 Fault response verified
- WDT response verified

So far well over 1500 test shots have been performed...



### **Hardware testing for DCPS**

- Hardware PTP testing includes
  - Lemo connectors
  - Board bench testing
  - Chassis bench testing
  - In- situ Rack tests of HANS using Autotester mode
  - Rack and Integrated system tests using Real World mode using Autotester
  - Interface testing (L1, Ip Calc, PDP, WS PLC...)
- Many of these test steps repeatedly test chassis busses, boards, cables, interfaces etc...

### DCPS SDD, FMEA, and Reliability Assessment

- SAD updated to include DCPS
- FMEA updated to include DCPS for single point failures
- DCPS System Design Description and Reliability Assessment document drafted for failure rate analysis per NSTX\_CSU\_RQMT-CPS-159
- Failure of DCPS defined as a case where a L1 fault is warranted but neither DCPSs issue a fault
- Two independent, parallel, redundant fault systems with reliability that exceeds 10<sup>-4</sup>/ year and far exceeds 3.33 x 10<sup>-8</sup> failures/shot requirements

&

- Human performance factors mitigated with administrative control per OP-DCPS-779 and PTP testing after any changes before returning to operations
- Human intervention by COE with EPICS annunciation and other tools

#### **DCPS Overview Conclusion**

- DCPS core software completed new algorithms in development for Ops
- DCPS hardware completed punch list items in progress
- DCPS reviews completed chits dispositioned and most closed
- DPCS PTP testing completed more planned for Ops
- DCPS operations procedure in progress to support Ops setup/startup/ reset/change control
- DCPS System Design Description and Reliability Assessment drafted to document that DCPS meets or exceeds requirements
- NSTX Upgrade Project DCPS job scope completed and cost account closed
- Multiple conference papers have been published
- DCPS System turned over to Operations to support upcoming Power Systems Dummy Load testing, ISTP-001, CD-4, and Physics Operations

