1 will we ever get the green light for beam operation? j. uythoven & r. filippini for the...
TRANSCRIPT
1
Will We Ever Get The Will We Ever Get The Green Light For Beam Green Light For Beam
Operation?Operation?J. Uythoven & R. Filippini
For the Reliability Working GroupSub Working Group of the MPWG
Jan Uythoven, AB/BT
Chamonix@CERN 2005, Green Light
Page 2
Topics of the Topics of the PresentationPresentation
LHC Machine Protection System (MPS) Red / green light to LHC operations
‘Reliability’ concerns Safety and Availability
The simplified MPS studied Models, analysis and results
Comments and remarks Conclusions
Jan Uythoven, AB/BT
Chamonix@CERN 2005, Green Light
Page 3
Red light for beam operation If we need to abort the beam, does it get dumped correctly? Safety
Main tasks of MPS Transmission of beam dump request Execution of beam dump request
Historical Afraid of missing or bad execution of a beam dump Historical concept of ‘reliable’ beam dumping system:
1 failure per 100 years
MPS: Avoid Damage MPS: Avoid Damage Red LightRed Light
Jan Uythoven, AB/BT
Chamonix@CERN 2005, Green Light
Page 4
MPS: Allow OperationMPS: Allow OperationGreen LightGreen Light
Green light for beam operation Does the MPS let us operate the machine? Availability False dump
No green light due to Faulty ‘core equipment’ within the MPS Fault in the surveillance system within the MPS: False
Alarm
Jan Uythoven, AB/BT
Chamonix@CERN 2005, Green Light
Page 5
Aims of Machine Protection Aims of Machine Protection System AnalysisSystem Analysis
Availability of the MPS System available on demand (at
moment of dump request) No false dumps are allowed Unavailability in term of number of
false dumps per year
Safety of the MPS System available on demand (at
moment of dump request) False dumps are allowed, system
remains safe Unsafety in terms of probability per year
The probability that the system terminates its task without any consequences regarding damage or loss of equipment.
The probability that the system is performing the required function at a stated instant of time.
And what about
RELIABILITY ?
RELIABILITY:The probability that the system
isperforming the required functionfor a stated PERIOD OF TIME
RELIABILITY The plane is reliable if it gets me to my destination, once it is in the air
SAFETY: One engine of the airplane broke down, but it landed safely at a different airport
AVAILIBILITY: The plane leaves on time – on demandProcesses which are not continuous; repair the
plane between flights
The ensemble is called DEPENDABILITY
Jan Uythoven, AB/BT
Chamonix@CERN 2005, Green Light
Page 6
Aims of Machine Protection Aims of Machine Protection System AnalysisSystem Analysis
Availability of the MPS System available on demand (at
moment of dump request) No false dumps are allowed Unavailability in term of number of
false dumps per year
Safety of the MPS System available on demand (at
moment of dump request) False dumps are allowed, system
remains safe Unsafety in terms of probability per year
The probability that the system terminates its task without any consequences regarding damage or loss of equipment.
The probability that the system is performing the required function at a stated instant of time.
Jan Uythoven, AB/BT
Chamonix@CERN 2005, Green Light
Page 7
Machine Protection SystemMachine Protection SystemSimplified ArchitectureSimplified Architecture
BISBeam Interlock System: BIC1 (R/L) – BIC8 (R/L)
BIC xBeam Interlock Controller at point x (our definition)
BLMBeam Loss Monitors
LBDSLHC Beam Dumping System
PICPowering Interlock Controller
QPSQuench Protection System
Jan Uythoven, AB/BT
Chamonix@CERN 2005, Green Light
Page 8
Functional ArchitectureFunctional ArchitectureUsed for the CalculationsUsed for the Calculations
QPS
Systems available at a dump request from point x
PIC
BLM
BIC x
BIC 1Dump request from the control room
BIC 6LLBDS
Systems to be available at any dump request
BIC 6R
Jan Uythoven, AB/BT
Chamonix@CERN 2005, Green Light
Page 9
Assumptions for MPS Assumptions for MPS CalculationsCalculations
Operational scenario Assume 200 days/year of operation, 10 hours per run followed by
post mortem, 400 fills per year For every beam dump LBDS + (BIC+BLM+PIC+QPS)point x
Conservative for safety calculations concerning BLM, PIC and QPS Realistic for availability calculations
Failure rates Assume constant failure rates Calculated in accordance to the Military Handbook 217F
Others The system may fail only when it operates It cannot be repaired if failed unsafe GAME OVER
The rate at which failure occurs as a function of time
Jan Uythoven, AB/BT
Chamonix@CERN 2005, Green Light
Page 10
Benefit of Diagnostics for Benefit of Diagnostics for Redundant SystemsRedundant Systems
Diagnostics is performed every 10 hours (example) The system is recovered at full redundancy
Regeneration points Failure rate is lower bounded by the non-redundant part
10-7/h
10-4 /h
10-4 /h
Jan Uythoven, AB/BT
Chamonix@CERN 2005, Green Light
Page 11
Assumptions for MPS Calculations Assumptions for MPS Calculations … continued… continued
Regeneration points depend on diagnostics effectiveness Benefits from diagnostic exist for all
redundant systems in the MPS
SYSTEM Partial regeneration As good as new
LBDS, BIC, PIC - Post mortem at every fill
QPS - Power abort or monthly inspection
BLM Post mortem at every fill Yearly overhaul
The instant when a system is recovered to a fault free state (as good as new)
Jan Uythoven, AB/BT
Chamonix@CERN 2005, Green Light
Page 12
BEAM in the LHC
Subsystem Analysis Subsystem Analysis LBDSLBDS
MKD
Q4,MSD
MKB
TDE
BEAM dumped
Triggering + Re-
triggering
Dump trigger
RFPowering + Surveillanc
e
Dump request
BEM
Jan Uythoven, AB/BT
Chamonix@CERN 2005, Green Light
Page 13
State Transition DiagramState Transition DiagramLBDSLBDS
Available Failed
Silent faults
SAFETY = available or failed safely
False alarm
Failedsafely
Undetected faultsDetected faults
Surveillance
Jan Uythoven, AB/BT
Chamonix@CERN 2005, Green Light
Page 14
Results for one LBDSResults for one LBDS
Results for the MKD kickers including the triggering/re-triggering systems and the powering surveillance
ONE LBDS Unsafety / year False dumps / year
The system 1.410-7 2.6 (+/-1.6)
Safety bottleneck MKD Magnets (coils + current cables): no surveillance
False dumps bottleneck Power triggers (power supplies)
Jan Uythoven, AB/BT
Chamonix@CERN 2005, Green Light
Page 15
Some PlotsSome Plots
Unsafety per year = 400 missions
False dumps distribution per year
Jan Uythoven, AB/BT
Chamonix@CERN 2005, Green Light
Page 16
Post Mortem for LBDSPost Mortem for LBDS
Post mortem benefit Analyses the past fill and
recovers the system to as good as new state
Gives the local beam permit to the next LHC fill.
Note Faulty post mortem may
seriously affect safety.
LBDS failure rate with and without post mortem (over 10 consecutive missions)
With ..
Without post mortem
Jan Uythoven, AB/BT
Chamonix@CERN 2005, Green Light
Page 17
Results for the Results for the Simplified MPSSimplified MPS
System Unsafety/year False dumps/yearAverage Std. Dev.
Analysis including Not included
LBDS
[RF]
1.4 10-7 (2X) 2.6 (2X) (+/-1.6) (Re-)triggering system,MKD (MIL-217F)
BET, BEM (assumptions)
MSD, Q4, MKB
TDE
BIC [BT]
0.7 10-3 1.6 (+/-1.3) User Boxes only (MIL-217F) BIC core, VME and permit loops
BLM
[GG]
1.7 10-3 4.8 (+/-2.1) Focused loss on single monitor
(MIL-217F, SPS data)
Design upgrades
PIC
[MZ]
0.5 10-3 1.5 (+/-1.2) One LHC sector (MIL-217F) PLC
QPS
[AV]
0.4 10-3 7.7 (+/-2.7) Complete system (MIL-217F)
Power converters for electronics
OVERALL RESULTS
MPS 3.3 10-3 20.6 (+/-10.5) -
Jan Uythoven, AB/BT
Chamonix@CERN 2005, Green Light
Page 18
Comment on ResultsComment on ResultsSafetySafety
Probability of failing unsafe about 300 years (Mean Time To Failure) The punctual loss for the BLM is too conservative as a beam loss is likely to
affect several monitors. If at least two monitors are concerned then BLM unsafety < 2.910-6 per year instead of 1.710-3
Optimistic method of calculation BIC model only includes user boxes (= single point of failure) Many systems not included in the analysis
But most critical systems should be in
Conservative method of calculation Assumes all systems (one of each) have to be available for every beam dump The QPS, the PIC and the BLM are not always required
LBDS itself extremely safe Due to large redundancy in the active system and in the surveillance system
Jan Uythoven, AB/BT
Chamonix@CERN 2005, Green Light
Page 19
Comments on ResultsComments on ResultsAvailabilityAvailability
20 false dumps per year expected 5 % of all fills (+/- 2.5% std. dev.) One third of it expected to origin from the QPS
Calculations of availability based on About 3500 BLMs About 4000 channels for QPS 36 PIC and 16 BIC systems
Generally Contribution of powering system within the MPS needs to be
assessed in more detail and could have been overestimated For QPS power converters of electronics are not included. If included number
of false quenches almost x 2 – see Chamonix 2003, p. 209.However, the pc could be doubled if found necessary ($)
Some systems still under development
Jan Uythoven, AB/BT
Chamonix@CERN 2005, Green Light
Page 20
Keeping in mindKeeping in mind
Results shown for a simplified model of the MPS Not in: beam position, RF, collimation system, post mortem Distinction on source of dump requests could be necessary Distinction on fraction of false dumps due to surveillance and
due to the actual equipment can be interesting Some calculations are preliminary (BIC) Sensitivity analyses
Availability also depends on systems outside the MPS Power converters, cryogenics, vacuum,…
Jan Uythoven, AB/BT
Chamonix@CERN 2005, Green Light
Page 21
Trading-off Trading-off Safety and AvailabilitySafety and Availability
The MPS is a trade-off Safety is the primary goal of the MPS while keeping the
Availability acceptable Many interlocks make the system safer BUT any faulty
interlock (fail-safe) reduces the availability of the system Therefore, Safety and Availability are correlated.
Safe beam flag Benefit: some interlocks are maskable during non critical
phases Operational freedom, increased availability
Drawback: reliable tracking of phase changes is mandatory If it fails, it must fail safely
Jan Uythoven, AB/BT
Chamonix@CERN 2005, Green Light
Page 22
ConclusionsConclusions Safety
Failing unsafe 3 /1000 years Equivalent to 7.5 10-7/h and compatible with SIL2 (10-7/h) of
IEC-61508 standard for safety critical system Beam dumping system itself: 7 10-11/h: SIL4
Acceptable ?
Availability coming from MPS 20 false dumps per year, 5 % of all fills Acceptable ? Other systems ?
Comments Simplified system Importance of post mortem Reliable safe beam flag
Acknowledgements:
Machine Protection Reliability Working Group
Green Light from MPS: 95 % of the time