16 December 2005 IntroductionIntroduction System Layout Dependable Design Dependability Analysis Sensitivity ConclusionsSystem LayoutDependable DesignDependability AnalysisSensitivityConclusions G. Guaglio1/39 Reliability of Beam Loss Monitors System for the Large Hadron Collider at CERN

16 December 2005 IntroductionIntroduction System Layout Dependable Design Dependability Analysis Sensitivity ConclusionsSystem LayoutDependable DesignDependability AnalysisSensitivityConclusions G. Guaglio2/39 Outline Dependability Analysis. Introduction. System Layout. Dependable Design. Sensitivity. Conclusions.

16 December 2005 IntroductionIntroduction System Layout Dependable Design Dependability Analysis Sensitivity ConclusionsSystem LayoutDependable DesignDependability AnalysisSensitivityConclusions G. Guaglio3/39 LHC Challenges 1.27 km long ring: largest worldwide accelerator. 2.Luminosity: cm -2 s TeV protons (10 times higher than existing accelerators ) km long ring: largest worldwide accelerator. 2.Luminosity: cm -2 s TeV protons (10 times higher than existing accelerators ). RF Cleaning section Proton injection Dump Cleaning section Proton injection MJ of energy in the two beams (200 times higher) GJ of energy in the electric circuits. 6.Superconductive magnets: 502 main quadrupoles, 1232 main dipoles MJ of energy in the two beams (200 times higher) GJ of energy in the electric circuits. 6.Superconductive magnets: 502 main quadrupoles, 1232 main dipoles.

16 December 2005 IntroductionIntroduction System Layout Dependable Design Dependability Analysis Sensitivity ConclusionsSystem LayoutDependable DesignDependability AnalysisSensitivityConclusions G. Guaglio4/39 LHC Protection System In the frame of the Reliability Working Group, the LHC systems have been globally investigated from the dependability point of view. Unforeseen Fast Others Middle and Slow Planned Beam Loss Monitors System LHC Beam Dump System LHC Beam Interlock System Quench Protection System Others 400 dump requests Beam Loss Beam Loss Monitors System

16 December 2005 IntroductionIntroduction System Layout Dependable Design Dependability Analysis Sensitivity ConclusionsSystem LayoutDependable DesignDependability AnalysisSensitivityConclusions G. Guaglio5/39 BLMS Aims 1.Monitor the 27 km of accelerator to detect dangerous losses. 2.Trigger beam extraction requests to avoid damages of the superconductive magnets and of other equipments. The BLMS must be : 1.SAFE: in case of dangerous loss, it has to inhibit the beam permit. If it fails, there will be ~30 days of downtime. 2. FUNCTIONAL: in case of NO dangerous loss, it has NOT to inhibit the beam. If it fails, it generates a false alarm and 3 h will be lost to recover the previous situation. Such an event will decrease the LHC efficiency. 1.Monitor the 27 km of accelerator to detect dangerous losses. 2.Trigger beam extraction requests to avoid damages of the superconductive magnets and of other equipments. The BLMS must be : 1.SAFE: in case of dangerous loss, it has to inhibit the beam permit. If it fails, there will be ~30 days of downtime. 2. FUNCTIONAL: in case of NO dangerous loss, it has NOT to inhibit the beam. If it fails, it generates a false alarm and 3 h will be lost to recover the previous situation. Such an event will decrease the LHC efficiency.

16 December 2005 IntroductionIntroduction System Layout Dependable Design Dependability Analysis Sensitivity ConclusionsSystem LayoutDependable DesignDependability AnalysisSensitivityConclusions G. Guaglio6/39 Outline Dependability Analysis. Introduction. System Layout. Dependable Design. Sensitivity. Conclusions.

16 December 2005 IntroductionIntroduction System Layout Dependable Design Dependability Analysis Sensitivity ConclusionsSystem LayoutDependable DesignDependability AnalysisSensitivityConclusions G. Guaglio7/39 System Layout 1.Detector locations. 2.Secondary particles heating. 3.Front End Electronics. 4.Back End Electronics. 5.Combiner. 6.VME Crate and Rack. 7.Power supplies. 1.Detector locations. 2.Secondary particles heating. 3.Front End Electronics. 4.Back End Electronics. 5.Combiner. 6.VME Crate and Rack. 7.Power supplies.

16 December 2005 IntroductionIntroduction System Layout Dependable Design Dependability Analysis Sensitivity ConclusionsSystem LayoutDependable DesignDependability AnalysisSensitivityConclusions G. Guaglio8/39 Detector Location Simulation of the loss locations along the LHC ring. Concentration of losses at the quadrupole regions. Simulation of the loss locations along the LHC ring. Concentration of losses at the quadrupole regions. Quadrupole MO Beam direction Courtesy of S. Redaelli Simulations requested and specified. Conservative hypothesis: the simultaneous presence of high losses in different locations is neglected. Every dangerous loss could be seen just by one detector.

16 December 2005 IntroductionIntroduction System Layout Dependable Design Dependability Analysis Sensitivity ConclusionsSystem LayoutDependable DesignDependability AnalysisSensitivityConclusions G. Guaglio9/39 Secondary Particles Heating Estimation of the proton rate density necessary to perform a transition from the superconductive state to the normal conductive state. Different estimation performed with non-linear differential equations (film boiling effect, …). Big uncertainty. Further studies motivated. Estimation of the proton rate density necessary to perform a transition from the superconductive state to the normal conductive state. Different estimation performed with non-linear differential equations (film boiling effect, …). Big uncertainty. Further studies motivated.

16 December 2005 IntroductionIntroduction System Layout Dependable Design Dependability Analysis Sensitivity ConclusionsSystem LayoutDependable DesignDependability AnalysisSensitivityConclusions G. Guaglio10/39 BLMS Signal Chain Channel 1 Multi- plexing and doubling Optical TX Channel 8 DetectorDigitalization Optical TX VME Backplane Optical RX Superconducting magnet Secondary particle shower generated by a lost Demulti- plexing Signal selec- tion Thres- holds comp- arison Channel selection and beam permits gener- ation. Status monitor FEE 2 Beam Energy TUNNEL SURFACE FEE 1 Unmaskable beam permits Maskable beam permits Back End Electronics (BEE) Front End Electronics (FEE)

16 December 2005 IntroductionIntroduction System Layout Dependable Design Dependability Analysis Sensitivity ConclusionsSystem LayoutDependable DesignDependability AnalysisSensitivityConclusions G. Guaglio11/39 Detector Detection of the particles’ shower. Current signal proportional to the particles’ loss. Ionization chambers placed around the quadrupole region. Detection of the particles’ shower. Current signal proportional to the particles’ loss. Ionization chambers placed around the quadrupole region.

16 December 2005 IntroductionIntroduction System Layout Dependable Design Dependability Analysis Sensitivity ConclusionsSystem LayoutDependable DesignDependability AnalysisSensitivityConclusions G. Guaglio12/39 Channel 8 Front End Electronics (FEE) Front End Electronics Transformation of the current signal in a digital data. Multiplexing of 8 channels with redundant optical transmission. Electronics in an harsh environment (radiations). Transformation of the current signal in a digital data. Multiplexing of 8 channels with redundant optical transmission. Electronics in an harsh environment (radiations). Multi- plexing and doubling Optical TX Digitalization Optical TX

16 December 2005 IntroductionIntroduction System Layout Dependable Design Dependability Analysis Sensitivity ConclusionsSystem LayoutDependable DesignDependability AnalysisSensitivityConclusions G. Guaglio13/39 Back End Electronics VME Backplane Optical RX Demulti- plexing Status monitor FEE 2 Beam Energy SURFACE FEE 1 Unmaskable beam permits Maskable beam permits Back End Electronics (BEE) Optical RX Demulti- plexing Signal selec- tion Thres- holds comp- arison Channel selection and beam permits gener- ation. Optical receivers in a mezzanine board. Data treatment in a Digital Acquisition Board. Energy input for the selection of the threshold levels. Beam permits connected to the backplane. Optical receivers in a mezzanine board. Data treatment in a Digital Acquisition Board. Energy input for the selection of the threshold levels. Beam permits connected to the backplane.

16 December 2005 IntroductionIntroduction System Layout Dependable Design Dependability Analysis Sensitivity ConclusionsSystem LayoutDependable DesignDependability AnalysisSensitivityConclusions G. Guaglio14/39 Combiner Reception of the beam permits and forwarding them to the LHC Beam Interlock System. Reception and distribution of the energy signal to the BEE cards. Surveillance: several testing process for the BLMS. Reception of the beam permits and forwarding them to the LHC Beam Interlock System. Reception and distribution of the energy signal to the BEE cards. Surveillance: several testing process for the BLMS. Combiner card FPGA 8 bits Energy from external system Maskable beam permit Logic switch Current loops from previous Combiner From last DAB Unmaskable beam permit tests, settings, … From last DAB 8 bit Energy to DABs To next Combiner Current loops to next Combiner or to LBIS Logic switch HT Driver To-from HT (only last Combiner) Comparators Voltages and Currents signals from VME power supplies. Beam Permit Status form LBIS Maskable U n m a s k a b l e VME backplane 8 VME bus

16 December 2005 IntroductionIntroduction System Layout Dependable Design Dependability Analysis Sensitivity ConclusionsSystem LayoutDependable DesignDependability AnalysisSensitivityConclusions G. Guaglio15/39 VME Crate and Rack Up to 16 BEE cards and a Combiner card are located in a VME crate. The beam permit lines of the BEE cards in a crate are daisy chained up to the Combiner card. Up to 16 BEE cards and a Combiner card are located in a VME crate. The beam permit lines of the BEE cards in a crate are daisy chained up to the Combiner card. The energy signal is provided in parallel to each combiner card. 25 VME Crates in 8 racks per LHC octant. In each rack there will be a LHC Beam Interlock System user interface. The beam permit lines of the Combiner cards in a rack are daisy chained up to the LBIS user interface. 25 VME Crates in 8 racks per LHC octant. In each rack there will be a LHC Beam Interlock System user interface. The beam permit lines of the Combiner cards in a rack are daisy chained up to the LBIS user interface. VME crate (up to16BEE) Combiner i Beam Energy 8 3x current loops VME crate (up to16BEE) 3x current loops VME crate (up to16BEE) Combiner 3x current loops LBIS Combiner

16 December 2005 IntroductionIntroduction System Layout Dependable Design Dependability Analysis Sensitivity ConclusionsSystem LayoutDependable DesignDependability AnalysisSensitivityConclusions G. Guaglio16/39 Power Supplies 1926 power supplies in the tunnel. 25 VME power supplies at the surfaces. 16 High Tension (HT) power supplies at the surface for the detectors power supplies in the tunnel. 25 VME power supplies at the surfaces. 16 High Tension (HT) power supplies at the surface for the detectors.

16 December 2005 IntroductionIntroduction System Layout Dependable Design Dependability Analysis Sensitivity ConclusionsSystem LayoutDependable DesignDependability AnalysisSensitivityConclusions G. Guaglio17/39 Outline Dependability Analysis. Introduction. System Layout. Dependable Design. Sensitivity. Conclusions.

16 December 2005 IntroductionIntroduction System Layout Dependable Design Dependability Analysis Sensitivity ConclusionsSystem LayoutDependable DesignDependability AnalysisSensitivityConclusions G. Guaglio18/39 Dependability Safety Reliability Maintainability Availability Risk a) >30 days of downtime for a magnet substitutions. b) ~3 hours of downtime to recover from a false alarm. a) >30 days of downtime for a magnet substitutions. b) ~3 hours of downtime to recover from a false alarm. Dependability a) Probability to loose a magnet: < 0.1/y. b) Number of false alarms per year: < 20/y. a) Probability to loose a magnet: < 0.1/y. b) Number of false alarms per year: < 20/y. Consequences Hazard rates ( )? Failure modes ? Hazard rates ( )? Failure modes ? Repair rates (  )? Inspection periods (  )? Repair rates (  )? Inspection periods (  )?

16 December 2005 IntroductionIntroduction System Layout Dependable Design Dependability Analysis Sensitivity ConclusionsSystem LayoutDependable DesignDependability AnalysisSensitivityConclusions G. Guaglio19/39 BLMS Dependability Definition of the hazard rates of the components: “How often does a component fail?” Definition of the failure modes of the components: “How does a component fail?” Fail safe design. The most probable failure of the component does not generate the worst consequence (= risk to damage a magnet). Definition of the hazard rates of the components: “How often does a component fail?” Definition of the failure modes of the components: “How does a component fail?” Fail safe design. The most probable failure of the component does not generate the worst consequence (= risk to damage a magnet).

16 December 2005 IntroductionIntroduction System Layout Dependable Design Dependability Analysis Sensitivity ConclusionsSystem LayoutDependable DesignDependability AnalysisSensitivityConclusions G. Guaglio20/39 FEE Dependability Irradiation tests on the analogue components to investigate hazard rate variation. Definition of the 10pA test to check the analogue channel. Irradiation tests on the analogue components to investigate hazard rate variation. Definition of the 10pA test to check the analogue channel. Irradiation tests of the optical transmitter LASERs. Doubling of the optical lines and two-out-of-three (2oo3) redundancy in the FPGA. Definition of the HT test to check all the channel functionalities. Irradiation tests of the optical transmitter LASERs. Doubling of the optical lines and two-out-of-three (2oo3) redundancy in the FPGA. Definition of the HT test to check all the channel functionalities. Transmission FPGA Status Optical fibres to surface Test logic HT test request Channel 8 Multiplexer 16 bits frames 8 20 CRC generator Multiplexer CRC generator To 10 pA source Counters 2oo3 vote 12 Channel 1 From mono- stable oo3 vote From ADC TX

16 December 2005 IntroductionIntroduction System Layout Dependable Design Dependability Analysis Sensitivity ConclusionsSystem LayoutDependable DesignDependability AnalysisSensitivityConclusions G. Guaglio21/39 FEE Irradiation Test Bench Selection of the instrumentations for the optical and electrical measurements during the irradiation tests. Realization of the software to control the whole bench. Selection of the instrumentations for the optical and electrical measurements during the irradiation tests. Realization of the software to control the whole bench. Measurement Bench LabVIEW Interface

16 December 2005 IntroductionIntroduction System Layout Dependable Design Dependability Analysis Sensitivity ConclusionsSystem LayoutDependable DesignDependability AnalysisSensitivityConclusions G. Guaglio22/39 FEE Irradiation Results Single event effect in the analogue electronics reaches a saturation level between 5·10 6 and 10 7 p/cm 2. Induced error negligible. Integral dose effect in the analogue electronics is below 100 pA after 504Gy (~25 LHC years). Hazard rate increment is negligible. LASERs not affected by the irradiation. Single event effect in the analogue electronics reaches a saturation level between 5·10 6 and 10 7 p/cm 2. Induced error negligible. Integral dose effect in the analogue electronics is below 100 pA after 504Gy (~25 LHC years). Hazard rate increment is negligible. LASERs not affected by the irradiation.

16 December 2005 IntroductionIntroduction System Layout Dependable Design Dependability Analysis Sensitivity ConclusionsSystem LayoutDependable DesignDependability AnalysisSensitivityConclusions G. Guaglio23/39 BEE Dependability Optical cables from FEE A DAB Mezzanine Photo- diode Trans- ceiver Photo- diode Trans- ceiver Memory: thresholds table FPGA 8 bits Energy from Combiner CL CK Q From current source or previous DAB To next DAB or Combiner MASKABLE BEAM PERMITS CL CK Q From current source or previous DAB To next DAB or Combiner UNMASKABLE BEAM PERMITS VME bus Photo- diode Trans- ceiver Photo- diode Trans- ceiver Optical cables from FEE B Energy trans- ceiver Inactive Maskable Unmaskable Channel Assignment Table Thresholds values Definition of the tests to check the integrity of the data. Definition of the thresholds windows to minimize the evaluation error (see next slide). Definition of the tests to check the integrity of the data. Definition of the thresholds windows to minimize the evaluation error (see next slide).

16 December 2005 IntroductionIntroduction System Layout Dependable Design Dependability Analysis Sensitivity ConclusionsSystem LayoutDependable DesignDependability AnalysisSensitivityConclusions G. Guaglio24/39 BEE Thresholds Levels An error less than 25% in the approximation of the threshold lines is reached with 11 times windows and 32 energy steps

16 December 2005 IntroductionIntroduction System Layout Dependable Design Dependability Analysis Sensitivity ConclusionsSystem LayoutDependable DesignDependability AnalysisSensitivityConclusions G. Guaglio25/39 Combiner card FPGA 8 bits Energy from external system Maskable beam permit Logic switch Current loops from previous Combiner From last DAB Unmaskable beam permit tests, settings, … From last DAB 8 bit Energy to DABs To next Combiner Current loops to next Combiner or to LBIS Logic switch HT Driver To-from HT (only last Combiner) Comparators Voltages and Currents signals from VME power supplies. Beam Permit Status form LBIS Maskable U n m a s k a b l e VME backplane 8 VME bus Combiner Dependability Definition of the tests to check whole signal chain. Definition of the criticalities of the energy signal. Definition of the tests to check whole signal chain. Definition of the criticalities of the energy signal.

16 December 2005 IntroductionIntroduction System Layout Dependable Design Dependability Analysis Sensitivity ConclusionsSystem LayoutDependable DesignDependability AnalysisSensitivityConclusions G. Guaglio26/39 VME crate (up to16BEE) Combiner i Beam Energy 8 3x current loops VME crate (up to16BEE) 3x current loops VME crate (up to16BEE) Combiner 3x current loops LBIS Combiner Power Supplies Dependability Redundant High Tension power supplies. 2oo3 redundancy of the VME power supplies. Redundant High Tension power supplies. 2oo3 redundancy of the VME power supplies. VME Power supplies 5x 5x 5x 5x 5x 5x HT 1450V HT 1500V Control lines To tunnel Beam status

16 December 2005 IntroductionIntroduction System Layout Dependable Design Dependability Analysis Sensitivity ConclusionsSystem LayoutDependable DesignDependability AnalysisSensitivityConclusions G. Guaglio27/39 Outline Dependability Analysis. Introduction. System Layout. Dependable Design. Sensitivity. Conclusions.

16 December 2005 IntroductionIntroduction System Layout Dependable Design Dependability Analysis Sensitivity ConclusionsSystem LayoutDependable DesignDependability AnalysisSensitivityConclusions G. Guaglio28/39 BLMS Predictions Rates collected mainly from the suppliers, then from historical data, and finally from the MIL-HDBK 217F. True rate. Constant. r(t) t Lifetime Early failures Random failures Wearout failures Hazard rates are assumed to be constant. After a short initial period, this assumption overestimates the failure rates. The Prediction is the estimation of the hazard rate of the components.

16 December 2005 IntroductionIntroduction System Layout Dependable Design Dependability Analysis Sensitivity ConclusionsSystem LayoutDependable DesignDependability AnalysisSensitivityConclusions G. Guaglio29/39 Predictions Uncertainties The Dependability Analysis will be performed on the central values. The effect of the uncertainties on the dependability results will be estimated by the Sensitivity Analysis. The Dependability Analysis will be performed on the central values. The effect of the uncertainties on the dependability results will be estimated by the Sensitivity Analysis. Supplier of the power supply in the arc: 2·10 -9 /h. of the power supply in the arc: 2·10 -9 /h. of similar power supply in the tunnel: 2·10 -6 /h. of similar power supply in the tunnel: 2·10 -6 /h. Uncertainty is given by the unknown supplier test procedures. Historical 216 detectors had no failure over 20 years (of 4800 hours). Assumption: is constant. < 4·10 -8 /h (60% of CL) 1·10 -8 /h < < 8·10 -8 /h (95%) Assumption: is constant. < 4·10 -8 /h (60% of CL) 1·10 -8 /h < < 8·10 -8 /h (95%) Uncertainty is given by the lack of failures. Military handbook has been evaluated by tests of electronics 20 years ago. New electronics evaluation (IEC standard) lower. MIL to be comparable with other LHC studies and to be conservative.

16 December 2005 IntroductionIntroduction System Layout Dependable Design Dependability Analysis Sensitivity ConclusionsSystem LayoutDependable DesignDependability AnalysisSensitivityConclusions G. Guaglio30/39 BLMS Testing Processes The failure probability decrease with the decrease of the inspection period. Gain test Bench tests Barcode check High Tension tests Double Optical Line Comparison 10pA test Thresholds and Channel Assignment checks Beam Inhibition Lines tests DetectorFEEBEECombiner Inspection phases: Check-in, Maintenance, Before every fill, With the beam

16 December 2005 IntroductionIntroduction System Layout Dependable Design Dependability Analysis Sensitivity ConclusionsSystem LayoutDependable DesignDependability AnalysisSensitivityConclusions G. Guaglio31/39 BLMS FMECA The Failure Modes, Effects and Criticalities Analysis enumerates all the failure modes of the components and studies the propagation of the failure effects to the system level. Three Ends Effects: 1. Damage Risk: probability not to be ready in case of dangerous loss. 2. False Alarm:probability to generate a false alarm. 3. Warning: probability to generate a maintenance request following a failure of a redundant component. Three Ends Effects: 1. Damage Risk: probability not to be ready in case of dangerous loss. 2. False Alarm:probability to generate a false alarm. 3. Warning: probability to generate a maintenance request following a failure of a redundant component. Almost 160 Failure Modes have been defined for the BLMS using the FMD-97 standard. Conservative hypothesis: bench tests do not eliminate the construction failure modes. Almost 160 Failure Modes have been defined for the BLMS using the FMD-97 standard. Conservative hypothesis: bench tests do not eliminate the construction failure modes. Component’s Hazard rate from prediction Component’s Hazard rate from prediction Apportionment from FMECA Failure Mode’s hazard rate of the component

16 December 2005 IntroductionIntroduction System Layout Dependable Design Dependability Analysis Sensitivity ConclusionsSystem LayoutDependable DesignDependability AnalysisSensitivityConclusions G. Guaglio32/39 OR Gate EVENT1 2 OR Gate EVENT1 2 AND Gate EVENT1 2 AND Gate EVENT1 2 Fault Tree Analysis The probability to have an Failure Mode A, Pr{A}, is calculated per each Failure Modes of the FMECA, given the hazard rate, the repair rate and the inspection period. 1. Two events, A & B, are statistically independent if and only if: Pr{AB} = Pr{A} × Pr{B} 1. Two events, A & B, are statistically independent if and only if: Pr{AB} = Pr{A} × Pr{B} 2. The probability that at least one of two events A and B occurs is: Pr{A + B} = Pr{A} + Pr{B} – Pr{AB} 2. The probability that at least one of two events A and B occurs is: Pr{A + B} = Pr{A} + Pr{B} – Pr{AB} The Fault Tree Analysis is based on the combinatorial statistics. Some Basic Gates (= combination laws) are: Damage Risk Blind FEE Blind BEE False Alarm by transmission Optical line1 Optical line2 Several other combination are available: XOR, Voting, NOT,…

16 December 2005 IntroductionIntroduction System Layout Dependable Design Dependability Analysis Sensitivity ConclusionsSystem LayoutDependable DesignDependability AnalysisSensitivityConclusions G. Guaglio33/39 Fault Trees Results The probabilities to fail (unavailability) for the BLMS have been calculated. Per each End Effects, the major contributors to such probabilities have been pointed out too. The probabilities to fail (unavailability) for the BLMS have been calculated. Per each End Effects, the major contributors to such probabilities have been pointed out too. Consequences per year Weakest componentsNotes Damage Risk 5·10 -4 (100 dangerous losses) Detector (88%) Analogue electronics (11%) Detector likely overestimated (60% CL of no failure after h). False Alarm 13 ± 4 Tunnel power supplies (57%) VME fans (28%) Tunnel power supplies likely underestimated (see sensitivity example). Warning35 ± 6 Optical line (98%) VME PS ( 1%) LASER hazard rate likely overestimated by MIL.

16 December 2005 IntroductionIntroduction System Layout Dependable Design Dependability Analysis Sensitivity ConclusionsSystem LayoutDependable DesignDependability AnalysisSensitivityConclusions G. Guaglio34/39 Outline Dependability Analysis. Introduction. System Layout. Dependable Design. Sensitivity. Conclusions.

16 December 2005 IntroductionIntroduction System Layout Dependable Design Dependability Analysis Sensitivity ConclusionsSystem LayoutDependable DesignDependability AnalysisSensitivityConclusions G. Guaglio35/39 Sensitivity Analysis The Sensitivity Analysis provides the impact of the variation of either a parameter or a system configuration on the unavailabilities of the system.. End Effect’s hazard rate of the component checked by the test t The rare event approach provides a good numeric approximation and highlights the dependencies of the variation. End Effect’s unavailability Quantity of the component Inspection period of the test t

16 December 2005 IntroductionIntroduction System Layout Dependable Design Dependability Analysis Sensitivity ConclusionsSystem LayoutDependable DesignDependability AnalysisSensitivityConclusions G. Guaglio36/39 Sensitivity: Results Example 1: Effect of the variation of a parameter. PS in the arc 2·10 -9 /h. If similar to the PS in the straight section (2·10 -6 /h),  = ~2·10 -6 /h.  multiplied by the sensitivity factor (1.3·10 4 h) reads:  Q = ( from Q= ). For the 400 missions, 10 extra False Alarms per year: the total number of False Alarms would be 23 ± 5. Example 1: Effect of the variation of a parameter. PS in the arc 2·10 -9 /h. If similar to the PS in the straight section (2·10 -6 /h),  = ~2·10 -6 /h.  multiplied by the sensitivity factor (1.3·10 4 h) reads:  Q = ( from Q= ). For the 400 missions, 10 extra False Alarms per year: the total number of False Alarms would be 23 ± 5.

16 December 2005 IntroductionIntroduction System Layout Dependable Design Dependability Analysis Sensitivity ConclusionsSystem LayoutDependable DesignDependability AnalysisSensitivityConclusions G. Guaglio37/39 Sensitivity: Considerations Redefinition of the hazard rates after one year of LHC operation. The Sensitivity Analysis allows an easy estimation of the variation of the system to such revaluations of the parameters. It can also be applied to evaluate system reconfigurations or inspection period modifications. Estimated for comparator: 2 · /h For 1932 comparators, after one LHC year: 1932 x 4800h = 9 · 10 6 equivalent working hours. For 1932 comparators, after one LHC year: 1932 x 4800h = 9 · 10 6 equivalent working hours. 2·10-7/h 1 1 3·10-7/h 2 2 1·10-7/h % CL 60% CL Number of failures

16 December 2005 IntroductionIntroduction System Layout Dependable Design Dependability Analysis Sensitivity ConclusionsSystem LayoutDependable DesignDependability AnalysisSensitivityConclusions G. Guaglio38/39 Outline Dependability Analysis. Introduction. System Layout. Dependable Design. Sensitivity. Conclusions.

16 December 2005 IntroductionIntroduction System Layout Dependable Design Dependability Analysis Sensitivity ConclusionsSystem LayoutDependable DesignDependability AnalysisSensitivityConclusions G. Guaglio39/39 Conclusions The average probability that in an year a channel will miss a dangerous loss is 5·10 -4 (less than the tolerated 0.1), assuming 100 dangerous losses per year. The maximum number of expected false alarms is 13 ± 4 per year (less than the tolerated 20). The expected maintenance actions (false alarms plus warnings) are 49 ± 7 per year, ~ 1 every 4 days. The average probability that in an year a channel will miss a dangerous loss is 5·10 -4 (less than the tolerated 0.1), assuming 100 dangerous losses per year. The maximum number of expected false alarms is 13 ± 4 per year (less than the tolerated 20). The expected maintenance actions (false alarms plus warnings) are 49 ± 7 per year, ~ 1 every 4 days. Due to the conservative hypothesis, all the figures are expected to be overestimated.