1
Will We Ever Get The Will We Ever Get The Green Light For Beam Green Light For Beam
Operation?Operation?J. Uythoven & R. Filippini
For the Reliability Working GroupSub Working Group of the MPWG
Jan Uythoven, AB/BT
Chamonix@CERN 2005, Green Light
Page 2
Topics of the Topics of the PresentationPresentation
LHC Machine Protection System (MPS) Red/green light to LHC operations
Reliability concerns Safety and Availability
The simplified MPS studied Models, analysis and results
Comments and remarks Conclusions
Jan Uythoven, AB/BT
Chamonix@CERN 2005, Green Light
Page 3
Red light for beam operation: Normal dump request Planned end of physics run Or caused by an unsafe beam NOT caused by faulty equipment
Main tasks of MPS Transmission of beam dump request Execution of beam dump request
Historical Afraid of missing or bad execution of normal beam dump Historical concept of reliable beam dumping system:
1 failure per 100 years
Avoid Destruction Avoid Destruction Red LightRed Light
Jan Uythoven, AB/BT
Chamonix@CERN 2005, Green Light
Page 4
Allow OperationAllow OperationGreen LightGreen Light
Green light to start operation No green light to inject if not everything 100 % o.k. Dry beam dump first if necessary
Green light to continue operation Trigger of beam dump if something detected wrong in
equipment status: False beam dumps
False beam dump Caused by faulty equipment Caused by failures in surveillance system giving the
wrong diagnostics, leading to a beam dump
Jan Uythoven, AB/BT
Chamonix@CERN 2005, Green Light
Page 5
Aims of Machine Protection Aims of Machine Protection System AnalysisSystem Analysis
Availability of the MPS System available at any time t
during a fill No false dumps are allowed Unavailability in term of number of
false dumps per year
Safety of the MPS System available at any time t during a
fill False dumps are allowed, system
remains safe Unsafety in term of probability per year
The probability the system terminates its task without any consequences regarding injury, damage or loss of equipment.
The probability the system is performing the required function at a stated instant of time.
Jan Uythoven, AB/BT
Chamonix@CERN 2005, Green Light
Page 6
Machine Protection SystemMachine Protection SystemSimplified Architecture StudiedSimplified Architecture Studied
BISBeam Interlock System: BIC1 – BIC8
BIC xBeam Interlock Controller at point x
BLMBeam Loss Monitors
LBDSLHC Beam Dumping System
PICPower Interlock Controller
QPSQuench Protection System
Jan Uythoven, AB/BT
Chamonix@CERN 2005, Green Light
Page 7
Functional ArchitectureFunctional ArchitectureUsed for Reliability CalculationsUsed for Reliability Calculations
QPS
Systems available at a dump request from point x
PIC
BLM
BIC x BIC 6 LBDS
Systems to be available at any dump request
BIC 1Dump request from the control room
Jan Uythoven, AB/BT
Chamonix@CERN 2005, Green Light
Page 8
Assumptions for MPS Assumptions for MPS Reliability CalculationsReliability Calculations
Operational scenario Assume 200 days/year of operation, 10 hours per run followed by
post mortem, 400 fills per year For every beam dump LBDS + (BIC+BLM+PIC+QPS)point x
Conservative for safety calculations concerning BLM, PIC and QPS Realistic for availability calculations
Failure rates Assume constant failure rates Calculated in accordance to the Military Handbook 217F
Others The system may fail only when it operates It cannot be repaired if failed unsafe GAME OVER
The rate at which failure occurs as a function of time
Jan Uythoven, AB/BT
Chamonix@CERN 2005, Green Light
Page 9
Benefit of Post Mortem for Benefit of Post Mortem for Redundant SystemsRedundant Systems
Post mortem is performed every 10 hours. The system is recovered at full redundancy
Regeneration points Failure rate is lower bounded by the not redundant part
10-7/h
10-4 /h
10-4 /h
Jan Uythoven, AB/BT
Chamonix@CERN 2005, Green Light
Page 10
Assumptions for MPS Reliability Assumptions for MPS Reliability Calculations ContinuedCalculations Continued
Regeneration points depend on diagnostics effectiveness Benefits from diagnostic exist for all
redundant systems in the MPS
SYSTEM Partial regeneration As good as new
LBDS, BIC, PIC - Post mortem at every fill
QPS Post mortem at every fill Monthly inspection
BLM Post mortem at every fill Yearly overhaul
The instant when a system is recovered to a fault free state (as good as new)
Jan Uythoven, AB/BT
Chamonix@CERN 2005, Green Light
Page 11
Subsystem Analysis Subsystem Analysis LBDSLBDS
MKD
Q4,MSD
MKB
TDE
BEAM
LHC ring
Triggering + Re-
triggering
Dump trigger
RFPowering + Surveillanc
e
Dump request
BEM
Jan Uythoven, AB/BT
Chamonix@CERN 2005, Green Light
Page 12
State Transitions DiagramState Transitions DiagramLBDSLBDS
SAFETY = system available or failed safe
NO surveillance
Available Failed
Silent faults
Failedsafe
Undetected faultsDetected faults
Fail safe surveillance
Surveillance
Jan Uythoven, AB/BT
Chamonix@CERN 2005, Green Light
Page 13
Results for one LBDSResults for one LBDS
Results for the MKD kickers including the triggering/re-triggering systems and the powering surveillance
ONE LBDS Unsafety/year False dumps/year
The system 6.510-10 2.6
Safety bottleneck Triggering system at the BIC6 client interface
False dumps bottleneck Power triggers (power supplies)
Jan Uythoven, AB/BT
Chamonix@CERN 2005, Green Light
Page 14
Some PlotsSome Plots
Unsafety per year = 400 missions
False dumps distribution per year
Jan Uythoven, AB/BT
Chamonix@CERN 2005, Green Light
Page 15
Post Mortem for LBDSPost Mortem for LBDS
Post mortem benefit Analyzes the past fill and
recovers the system to as good as new state
Gives the local beam permit to the next LHC fill.
But Faulty post mortem may
seriously affect safety.
Note Post mortem process should
be fail safe (no beam permit is given).
LBDS failure rate with and without post mortem (over 10 consecutive missions)
With ..
Without post mortem
Jan Uythoven, AB/BT
Chamonix@CERN 2005, Green Light
Page 16
Results for the Results for the Simplified MPSSimplified MPS
System Unsafety/year False dumps/year Analysis including Not included
LBDS 6.5 10-10 (2X) 2.6 (2X) (Re-)triggering system,MKD (MIL-217F)
BET, BEM (assumptions)
MSD, Q4, MKB
TDE
BIC [BT]
7 10-4 1.6 User Boxes only (MIL-217F) BIC core, VME and permit loops
BLM
[GG]
1.7 10-3 4.8 Focused loss on single monitor
(MIL-217F, SPS data)
Design upgrades
PIC
[MZ]
5 10-4 1.5 One LHC sector (MIL-217F) Minor details
QPS
[AV]
4 10-4 14 Complete system (MIL-217F)
-
OVERALL RESULTS
MPS 0.0033 27 -
Jan Uythoven, AB/BT
Chamonix@CERN 2005, Green Light
Page 17
Comment on ResultsComment on ResultsSafetySafety
Probability of failing unsafe about every 300 years (Mean Time To Failure)
The punctual loss for the BLM is too conservative as a beam loss is likely to affect several monitors. If at least two monitors are concerned then BLM unsafety < 2.7510-6 per year instead of 1.710-3
Optimistic method of calculation BIC model only includes user boxes (= single point of failure) Many systems not included in the analysis
But most critical systems should be in Conservative method of calculation
Assumes all system have to be available for every beam dump The QPS, the PIC and the BLM are not always required
LBDS itself extremely safe Due to large redundancy in the active system and in the surveillance
system
Jan Uythoven, AB/BT
Chamonix@CERN 2005, Green Light
Page 18
Comments on ResultsComments on ResultsAvailabilityAvailability
27 false dumps per year expected 7 % of all fills Half of it expected to origin from the QPS
Generally Contribution of powering system within the MPS needs
to be assessed in more detail and could have been overestimated
Some systems still under development
Jan Uythoven, AB/BT
Chamonix@CERN 2005, Green Light
Page 19
Keeping in mindKeeping in mind
Results shown for a simplified model of the MPS Not in: beam position, RF, collimation system, post mortem Distinction on source of dump requests could be necessary Distinction on fraction of false dumps due to surveillance and
due to the actual equipment can be interesting Some calculations are preliminary (BIC) Sensitivity analyses
Availability also depends on systems outside the MPS Power converters, cryogenics, vacuum,…
Jan Uythoven, AB/BT
Chamonix@CERN 2005, Green Light
Page 20
Trading-off Trading-off Safety and AvailabilitySafety and Availability
The MPS is a trade-off Safety is the primary goal of the MPS while keeping the
Availability acceptable Many interlocks make the system safer BUT any faulty
interlock (fail-safe) reduces the availability of the system Therefore, Safety and Availability are correlated.
Safe beam flag Benefit: some interlocks are maskable during non critical
phases Operational freedom
Drawback: reliable tracking of phase changes is mandatory If it fails it must fail safe
Jan Uythoven, AB/BT
Chamonix@CERN 2005, Green Light
Page 21
ConclusionsConclusions Safety
Failing unsafe 3 /1000 years, Equivalent to 7.5 10-7/h and compatible with SIL2 (10-7/h) of
IEC-61508 standard for safety critical system Acceptable ?
Availability 27 false dumps per year, 7% the total Acceptable ?
Comments Simplified system Importance of post mortem Reliable safe beam flag
Acknowledgements:
Machine Protection Reliability Working Group