B. Todd, A. Apollonio, S. Gabourin, S. Uznanski Principles and Experience in the 1v2 Design & Operation of Dependable Systems.

Slides:

Advertisements

Similar presentations

Jan Uythoven, AB/BTLHCCWG, 3 May 2006 Page GeV Commissioning Machine Protection Needs to be commissioned to: Prevent damage with the used, higher.

Advertisements

Machine Protection – ISSC 2010B. ToddAugust 2010 Thanks to : TE/MPE/MI, CERN Machine Protection Panel, et al 0v3 A Future Safety System?

Welcome to CERN CERN – The European Organization for Nuclear Research, Geneva, Switzerland.

February 2009 Summary of Chamonix 09 Steve Myers.

The Large Hadron Collider By Kathleen McKay. What is the LHC? The most powerful particle accelerator in the world. A synchrotron (ring-shaped particle.

Safe Machine Parameters General Machine Timing Cross-Check Safe Machine Parameters General Machine Timing Cross-Check 9 th May v3.

Click to edit Master title style Machine Protection and Interlocks CERN Accelerator School – May 2014 Machine

LHC UPS Systems and Configurations: Changes during the LS1 V. Chareyre / EN-EL LHC Beam Operation Committee 11 February 2014 EDMS No /02/2014.

Concept & architecture of the machine protection systems for FCC

Discovering the Unknown at the CERN Large Hadron Collider (LHC) Amy Gladwin University of Arizona.

A. Bay Beijing October Accelerators We want to study submicroscopic structure of particles. Spatial resolution of a probe ~de Broglie wavelength.

Confronting the Unknown: The Large Hadron Collider The Detectors Just as telescopes gaze outwards toward the most massive objects and the most immense.

Machine Protection – ISSC 2010B. ToddAugust 2010 Thanks to : TE/MPE/MI, CERN Machine Protection Panel, et al 0v3 A Future Safety System?

Christophe Delamare EDMS Accelerator Consolidation Workshop GS/ASE activities.

The LHC: an Accelerated Overview Jonathan Walsh May 2, 2006.

R.Schmidt (CERN und TU Darmstadt) Seminarvortrag Universität Stuttgart, 16 Oktober 2012 CERN, the LHC collider and studies on its dependability.

1v1 Availability Tracking as a Means to Increase LHC Physics Production B. Todd 1, A. Apollonio 1 and L. Ponce 1 1 CERN – European Organisation for Nuclear.

Future Accelerators at the High Energy Frontier

Introduction to availability modelling in ELMAS Arto Niemi.

B. Todd et al. 25 th August 2009 Observations Since v1.

India-CERN Meeting in Mumbai (Visions for Future Collaborations) Steve Myers Director of Accelerators and Technology CERN.

Partikeldagarna, Göteborg 21 September 2007 LHC: Status and Plans Lyn Evans.

880.P20 Winter 2006 Richard Kass 1 The Large Hadron Collider LHC is located at CERN CERN is located near Geneva Part of CERN is in France The LHC collides.

Nov 28, 2013 Power Converters Availability for post-LS1 LHC TE-EPC-CCE.

The FGClite Project Status Update and Requirements R2E Extended Project meeting TE-EPC-CC R2E Team.

PostMortem Workshop January LHC “Post Mortem” Workshop: Introduction Initiative by Robin Lauckner, Adriaan Rijllart and myself, helped by many other.

TRACKING OF FAULTS AND FOLLOW-UP Accelerator Fault Tracking project Jakub Janczyk (TE-MPE-PE / BE-CO-DS) with input from: Andrea Apollonio, Chris Roderick,

CERN Converter Control Electronics Setting the Scene

3 November 2008 D.Acosta 1 Most Powerful Solenoid Magnet u 18kA, 3.8T solenoid u 3m radius, 15m length u 2.5 GJ stored energy u Can be discharged in a.

CERN Availability Working Group & Accelerator Fault Tracker Availability Working Group & Accelerator Fault Tracker - Where do we.

Chamonix 2006, B.Dehning 1 Commissioning of Beam Loss Monitors B. Dehning CERN AB/BDI.

AB/CO Review, Interlock team, 20 th September Interlock team – the AB/CO point of view M.Zerlauth, R.Harrison Powering Interlocks A common task.

Thesis: Introduction Study for a failsafe trigger generation system for the Large Hadron Collider beam dump kicker magnets prepared by Martin Rampl.

1v2 LHC Availability Tracking: Past and Future B. Todd, A. Apollonio, L. Ponce on behalf of the LHC AWG.

05 Novembre years of research in physics European Organization for Nuclear Research.

B. Todd et al. 19 th August 2009 The Beam Interlock System Thanks to: Machine Protection Panel, R. Schmidt, B. Puccio, M. Zerlauth and many more… 0v2.

Germany and CERN / June 2009Germany and CERN | May Welcome - Willkommen CERN: to CERN: Accelerating Science and Innovation Professor Wolfgang A.

Steve Playfer University of Edinburgh 15th Novemebr 2008 Large Hadron Collider at CERN.

TE/TM 30 th March - 0v1 CERN MPP SMP 3v0 - Introduction 3 *fast *safe *reliable *available generates flags & values.

CERN Dependable Design Example ITER – Machine ProtectionB. ToddMay 2010 Thanks to : TE/MPE/MI, CERN Machine Protection Panel, et al 1v0 Beam Related Machine.

Kinematics Opportunities and issues 1F. Fleuretfixed-target projects at CERN.

First discussion on MSS for Katrin March 26, 2013 M.Capeans CERN PH-DT.

LHC’s Modular Machine ITER – Machine ProtectionB. ToddJuly 2010 Thanks to : TE/MPE/MI, CERN Machine Protection Panel, et al 1v0 Protection System.

B. Todd, A. Apollonio, M. Kwiatkowski, R. Schmidt, S. Wagner, J. Walter a Risk-Based Approach 1v2 to Machine Protection Systems.

Lucio Rossi The High Luminosity LHC Project Distinguished Lecturer 2013.

CERN Converter Control Electronics Strategy for LHC Machine Electronics : Limitations & Risks

R2E/Availability Workshop Report - RadWG October 22 nd 2014 R2E/Availability Workshop 2014 October th 2014 R2E/Availability Workshop RadWG - Brief.

Thanks to: A. Short, Machine Protection Panel, R. Schmidt, B. Puccio, M. Zerlauth and many more… 1v1.

13 th September 2012 – 0v6 Radiation Tolerant Power Converter Controls thanks to: TE/EPC/CC, Y. Thurel, A. Masi, M. Brugger, G. Spiezia.

Fabio Follin Delphine Jacquet For the LHC operation team

The 5 minutes tour of CERN The 5 minutes race of CERN

Introduction to CERN F. Hahn / CERN PH-DT1 10. May 2007.

Bending crystals for magnetic and electric dipole moment measurements

CERN presentation & CFD at CERN

Outline Introduction to LHC Power Converters Remaining Inventory Observed Availability New inventory – FGClite Cumulative & SEE Effects Maintenance.

Perspective on future challenges for very high energy hadron colliders

Potential failure scenarios that can lead to very fast orbit changes and machine protection requirements for HL-LHC operation Daniel Wollmann with input.

Powering the LHC Magnets

STPA FOR LINAC4 AVAILABILITY REQUIREMENTS

Lecture 2 Live Feed – CERN Control Centre

Future Collider Projects at CERN

Hunting the Higgs Boson at the CERN Large Hadron Collider

CERN The world’s largest Particle Physics Research Center in Geneva

CERN, the LHC and the Grid

Initial Experience with the Machine Protection System for LHC

CSP Meeting CERN CERN Accelerators in th November 2010

J. Uythoven, W. Venturini Delsolaro, CERN, Geneva

LHC Beam Operations Past, Present and Future

LS 1 start date 12th June Schedule Extension 2012 run Extension of 2012 run approved by the DG on 3rd July 2012.

Presentation transcript:

B. Todd, A. Apollonio, S. Gabourin, S. Uznanski Principles and Experience in the 1v2 Design & Operation of Dependable Systems

CERN 2. Dependable Design Principles 3. Experiences to date Dependable systems are the result of good engineering practices Good engineers = good systems failure modes are just as important as rates 1. CERN and the LHC watch out for the dependencies System specifications need dependability requirements

CERN Founded in 1954 Funded by the European Union 20 Member States 8 Observer States and Organisations 35 Non-Member States …Japan, Russia, USA… 580 Institutes World Wide 2500 Staff 8000 Visiting Scientists …Australia, Canada, New Zealand… …most of the EU… European Centre for Nuclear Research Conseil Européen pour la Recherche Nucléaire Pure Science – Particle Physics 1.Pushing the boundaries of research, physics beyond the standard model. 2.Advancing frontiers of technology. 3.Forming collaborations through science 4.Educating the scientists and engineers of tomorrow

CERN particle accelerators and detectors to study the basic constituents of matter. Accelerators boost beams of particles to high energies before they are made to collide with each other or with stationary targets. Detectors observe and record the results of these collisions. Our flag-ship project is the Large Hadron Collider…

CERN CERN CERN Accelerator Complex Lake Geneva Geneva Airport CERN LAB 1 (Switzerland) CERN LAB 2 (France)

CERN CERN CERN Accelerator Complex Lake Geneva Geneva Airport CERN LAB 1 (Switzerland) CERN LAB 2 (France) Proton Synchrotron (PS) Super Proton Synchrotron (SPS) Large Hadron Collider (LHC) 27km long 150m underground

CERN Accelerator Complex Lake Geneva Geneva Airport CERN LAB 1 (Switzerland) CERN LAB 2 (France) Proton Synchrotron (PS) Super Proton Synchrotron (SPS) Large Hadron Collider (LHC)

CERN CERN, the LHC and Machine Protection CERN 8 of 23 CERN Accelerator Complex Large Hadron Collider (LHC) Beam-1 Transfer Line (TI2) Beam-2 Transfer Line (TI8) Beam Dumping Systems Super Proton Synchrotron (SPS) 100us for one turn

CERN CERN CERN Accelerator Complex CMS ALICE ATLAS LHC-b

CERN ATLAS – A Toroidal LHC ApparatuS 10

CERN ATLAS – A Toroidal LHC ApparatuS 11

CERN Stored energy in the magnet circuits is 9 GJ LHC Parameters LHC needs high luminosity of [cm -2 s -1 ] 3 x p per beam at 7 TeV 8.3 Tesla dipole fields with circumference of 27 kms (16.5 miles) LHC needs super-conducting magnets <2°K (-271°C) with an operational current of ≈13kA cooled in superfluid helium maintained in a vacuum [11] A magnet will QUENCH with milliJoule deposited energy Stored energy per beam is 360 MJ …to see the rarest events… … to get 7 TeV operation… … to get 8.3 Tesla … two orders of magnitude higher than others x x x x x x LS 1-2 ≈6.5≈3 x ≈1 x Year Peak Energy [TeV] Peak Intensity [p] Peak Luminosity [cm -2 s -1 ] [1,2,3,4] 45 pb fb fb -1 >20 fb -1 Total Physics [yr -1 ]

CERN Dependable Design Principles - a design flow

CERN Systems… a non-complex system… with many components…<1k lines a complex system … with few components … Safe Machine Parameters S M P >80k lines a complex system … with many components … Beam Interlock System B I S Function Generator Controller Lite F G C Lite >>80k lines Critical code

CERN Power Converter Types 15 [4,5]

CERN Power Converter Types Function Generator Controller F G C 16 [5,6] ≈1000 replaced with FGClite

CERN Power Converter

CERN Reliability Requirements For > 1000 units… acceptable failure rate < 40 per year… Mean Time Between Failures > hours electrical SEE radiation cross-section <1 x > hours equipment lifetime > 25 years… electrical DD / TID radiation >200 Grays design for 25 years 18 Techniques such as application of MIL-217 = predict electrical reliability Scientific testing and analysis = predict radiation cross-section and lifetime working on a model to integrate radiation effects with electrical in ISOGRAPH

CERN FGClite Design Flow 19

CERN FGClite Design Flow Class 0 (C 0 ) Class 1 (C 1 ) Class 2 (C 2 ) components known to be resistant, or easily replaced, conceptual design not influenced by these components. components potentially susceptible to radiation, in less-critical parts of the system. Substitution of parts or mitigation of issues is possible with a re-design. components potentially susceptible to radiation, in more-critical parts of the system. The conceptual design is compromised if these components do not perform well. Substitution of parts or mitigation of issues would be difficult. Resistors, capacitors, diodes, transistors… Regulators, memory, level translators… Precision ADC, FPGA… 20

CERN FGClite Design Flow 21

CERN FGClite Design Flow 22

CERN FGClite Design Flow 23

CERN FGClite Design Flow 24 [7]

CERN FGClite Design Flow 25 [7]

CERN Example HW Reliability Optimisation 26

CERN Experiences Running LHC to Date Availability Working Group

CERN Physics Fill Abort Root Cause physics fills [9]

CERN Lost Physics and Fault Time hours = 34 days = lost physics 1524 hours = 64 days = fault time [9]

CERN Machine Protection Faults systems, >250 faults, ≈36 failure modes, >360h repair time BLM QPS Failure modes very important for fault evolution Unrealistic to draw proper conclusions – don’t record raw data consistently [10]

CERN 2005 Predictions… 31 false dumps: failure of system which leads to “fail-safe” premature abort System Predicted 2005 Observed 2010 Observed 2011 Observed 2012 LBDS6.8 ± BIS0.5 ± BLM17.0 ± PIC1.5 ± QPS15.8 ± SIS-424 reliability in line with expectations… (!!) despite the almost-witchcraft used to create the numbers… But the failure modes are not the same. [9]

CERN 2005 Predictions… 32 System Predicted 2005 Observed 2010 Observed 2011 Observed 2012 LBDS6.8 ± BIS0.5 ± BLM17.0 ± PIC1.5 ± QPS15.8 ± SIS-424 [9] false dumps: failure of system which leads to “fail-safe” premature abort reliability in line with expectations… (!!) despite the almost-witchcraft used to create the numbers… But the failure modes are not the same.

CERN Proposal - An LHC Fault Tracker 33 Visualisation of Events of 15 th – 16 th August 2012

CERN Proposal - An LHC Fault Tracker 34 Visualisation of Events of 15 th – 16 th August 2012

CERN Proposal - An LHC Fault Tracker 35 Visualisation of Events of 15 th – 16 th August 2012

CERN Proposal - An LHC Fault Tracker 36 Visualisation of Events of 15 th – 16 th August 2012

CERN Proposal - An LHC Fault Tracker 37 Visualisation of Events of 15 th – 16 th August 2012 LHC “e-logbook” TE-EPC Log TE-MPE-COMS TE-EPC view TE-MPE view OP view Impact on machine easier to infer + +

CERN Personal experience with the Beam Interlock System…

CERN Blurred Lines at System Boundaries Identify and account for dependencies - Services- Infrastructure- Controls Not part of analysis… …failures attributed to?

CERN Blurred Lines at System Boundaries Identify and account for dependencies - Services- Infrastructure- Controls Not part of analysis… …failures attributed to? CERN Controls Standard Power PC 8 out of 33 failed to date Outside the analysis scope

CERN Blurred Lines at System Boundaries Identify and account for dependencies - Services- Infrastructure- Controls Not part of analysis… …failures attributed to? Redundancy is more effective when it goes beyond the system boundary

CERN Blurred Lines at System Boundaries Identify and account for dependencies - Services- Infrastructure- Controls Not part of analysis… …failures attributed to? Consider dependability during installation: Connections between systems influence reliability Maintenance directly influences availability Reliability-Centred-Maintenance? Preventive Maintenance?

CERN Blurred Lines at System Boundaries Identify and account for dependencies - Services- Infrastructure- Controls Not part of analysis… …failures attributed to? Consider dependability during installation: Connections between systems influence reliability Maintenance directly influences availability Reliability-Centred-Maintenance? Preventive Maintenance? A.N. Other User System… Where do we start debugging? Beam Interlock Controller

CERN Blurred Lines at System Boundaries Identify and account for dependencies - Services- Infrastructure- Controls Not part of analysis… …failures attributed to? Consider dependability during installation: Connections between systems influence reliability Maintenance directly influences availability Reliability-Centred-Maintenance? Preventive Maintenance? open racks… mystery of the missing 220V cable…

CERN Blurred Lines at System Boundaries Identify and account for dependencies - Services- Infrastructure- Controls Not part of analysis… …failures attributed to? Consider dependability during installation: Connections between systems influence reliability Maintenance directly influences availability Reliability-Centred-Maintenance? Preventive Maintenance? 100kg of batteries in front of the spares cupboard… and no pallet lifter in sight…

CERN Blurred Lines at System Boundaries Identify and account for dependencies - Services- Infrastructure- Controls Not part of analysis… …failures attributed to? Consider dependability during installation: Connections between systems influence reliability Maintenance directly influences availability Reliability-Centred-Maintenance? Preventive Maintenance?

CERN 2. Dependable Design Principles 3. Experiences to date Dependable systems are the result of good engineering practices Good engineers = good systems failure modes are just as important as rates 1. CERN and the LHC watch out for the dependencies System specifications need dependability requirements

CERN Fin Thank you!

CERN References From the Chamonix Performance Workshop [1] 49 Extracted from [2] Extrapolated from W. Herr’s talk: “Luminosity Performance Reach After LS1” [3] Total Physics is from ATLAS [4] Figures and flow derived from work by Y. Thurel and S. Uznanski[7] Derived from [5] Photographs courtesy Y. Thurel et al, from: “LHC Power Converters the Proposed Approach” [6] From M. Kwiatkowski’s talk during SMP review at MPP [8] B. Todd et al, “Review 2012 – Operational Availability & Efficiency” [9] B. Todd et al, “Performance & Availability of MPS 2008 – 2012” [10]

CERN Hidden Faults 50 A worked example of potential dormant failure…

CERN Hidden Faults hardware inputs, 4 software inputs

CERN Hidden Faults (48%) never triggered 53 (19%) triggered once 564 (>50%) beam aborts from 12 inputs 165 x Operator Buttons 148 x Programmable Dump 93 x BPM (IR6) 49 x SIS 45 x BLM (SR7) 43 x RF 21 x PIC (US15) testing & maintenance plan needed - periodically ensure function. 564 (>50%) beam aborts from 7 systems: 275 hardware inputs, 4 software inputs

CERN Software versus Programmable Logic 53

CERN – 2012 BIS reliability not enough data yet