Dependability Requirements of the LBDS and their Design
Dependability Requirements of the LBDS and their Design Implications Jan Uythoven (AB/BT) References to work by R. Filippini (Ph. D. thesis) and Machine Protection Working Group 1
Outline n Requirements on the LBDS in the context of the Machine Protection System Dependability numbers for the MPS n Dependability numbers for the LBDS n n Safe Design of the LBDS n Measures taken n Sensitivity n Procedures n Conclusions Jan Uythoven, AB /BT LBDS Audit, 28 January 2008 2
Dependability Requirements of the LHC Machine Protection System n Safety Assessment (‘reliability’) n IEC 61508 standard defining the different Safety Integrity Levels (SIL) ranking from SIL 1 to SIL 4 n Based on Risk Classes = Consequence x Frequency n Machine Protection System for the LHC should be SIL 3, taking definition of Protection Systems, with a probability of failure between 10 -8 and 10 -7 per hour (because of short mission times) n Catastrophy = beam should have been dumped and this did not take place; can possibly cause large damage -7 hours 1 failure every n With 200 days of operation per year: 1/10 2000 years n Availability n Definition: n Beam is dumped when it was not required n Operation can not take place because the protection system does not give the green light (is not ready) n Requirement: n Definition not according to any standard n Downtime comparable to other accelerator equipment; maximum tens of operations per year Jan Uythoven, AB /BT LBDS Audit, 28 January 2008 3
The LBDS within the Machine Protection System n Study of simplified Machine Protection System n LBDS, BIC, BLM, QPS, PIC n Absolute value of the unsafety and # false dumps depend critically on model assumptions n Resulting safety number can be between SIL 2 and SIL 4 n Dependability studies were made for each sub-system n Unsafety of the LBDS and availability comparable to the other systems: n n Jan Uythoven, AB /BT LBDS Audit, 28 January 2008 Unsafety 2 x 2. 4 x 10 -7 /year False dumps 2 x 4 /year LBDS Safety > SIL 4 ! 4
Calculation of the LBDS Dependability Numbers n Ph. D thesis Roberto Filippini n FMECA analysis n More than 2100 failure modes at component levels § Components failure rates from standard literature (Military Handbook) n n n Arranged into 21 System Failure modes Operational Scenarios with State Transition Diagram for each Mission = 1 LHC fill State Transition Diagram for Sequence of Missions and checks Jan Uythoven, AB /BT LBDS Audit, 28 January 2008 5
Fault Tolerant Design No single point of failure should exist in the LBDS n Redundancy is introduced to allow failures up to a certain threshold n Redundancy in components and in signal paths. n Surveillance detects failures and issues a fail safe dump request. Surveillance Redundancy Reference energy taken from 4 Main Dipole circuits 14 out of 15 MKD, 1 out of 2 MKD generator branches TX/RX error detection Voting of inputs Surveillance Energy tracking, Retriggering Surveillance Energy tracking, Fast current change monitoring (MSD) Redundancy 1 out of 2 trigger generation and distribution Surveillance Redundancy Synchronization tracking 1 out of 4 MKBH, 1 out of 6 MKBV Surveillance Energy tracking Jan Uythoven, AB /BT LBDS Audit, 28 January 2008 6
Apportionment of Dependability n Safety and number of false dumps are apportioned to the LBDS components. n The MKD is the most complicated and critical system of the LBDS. It makes the largest contribution both to unsafety (75 %) and to the number of false dumps (60 %). Jan Uythoven, AB /BT LBDS Audit, 28 January 2008 7
Sensitivity to Fault Tolerant Design and Surveillance (Re. Trig. System) All these systems are obligatory ! Jan Uythoven, AB /BT LBDS Audit, 28 January 2008 8
Sensitivity to Assumed Failure Rates Important for Safety Important for Availability Jan Uythoven, AB /BT LBDS Audit, 28 January 2008 9
Safety by Operation / Procedures n Periodic checks to get back to a state which is ‘as good as new’ n Failure rates of redundant systems increase in time – get back to zero (different from aging) n Included in Dependability Calculations n After each LHC beam dump the green light for injection is only given when n Internal Post Operational Check (IPOC) is ok: § MKD and MKB current waveforms § Redundancy in current paths § … n External Post Operational Check (XPOC): § § MKD and MKB current waveforms Image on screen in front of beam dump Beam Loss Monitors in the extraction area and dump line … n Testing before operation n Tests in the laboratory, before installation n Tests once installed, before operation with beam Jan Uythoven, AB /BT LBDS Audit, 28 January 2008 Talk NM Talk EG Talk JU 10
Conclusions n The Beam Dumping System has been designed with Safety and Availability as design criteria n Redundancy n Surveillance n Procedures n A detailed dependability analysis has been made for the Beam Dumping System and other Machine Protection Subsystems n Coherency within the Machine Protection System should lead to acceptable safety and availability of the MPS as a whole n n n Beam Dumping System not a weak link of the MPS concerning safety Acceptable number of false beam dumps from the LBDS Within the Beam Dumping System n Sensitivity to design parameters / redundancy shows that correct design choices seem to have been made To the Jan Uythoven, AB /BT ts’ of xper e d e t i v ‘in nfirm to co t i d u A the LBDS Audit, 28 January 2008 (or not) 11
- Slides: 11
