Dependability Requirements of the LBDS and their Design Implications Jan Uythoven (AB/BT) References to work by R.Filippini (Ph.D. thesis) and Machine Protection Working Group

Outline Requirements on the LBDS in the context of the Machine Protection System Dependability numbers for the MPS Dependability numbers for the LBDS Safe Design of the LBDS Measures taken Sensitivity Procedures Conclusions Jan Uythoven, AB /BT LBDS Audit, 28 January 2008

Dependability Requirements of the LHC Machine Protection System Safety Assessment (‘reliability’) IEC 61508 standard defining the different Safety Integrity Levels (SIL) ranking from SIL1 to SIL4 Based on Risk Classes = Consequence x Frequency Machine Protection System for the LHC should be SIL3, taking definition of Protection Systems, with a probability of failure between 10-8 and 10-7 per hour (because of short mission times) Catastrophy = beam should have been dumped and this did not take place; can possibly cause large damage With 200 days of operation per year: 1/10-7 hours  1 failure every 2000 years Availability Definition: Beam is dumped when it was not required Operation can not take place because the protection system does not give the green light (is not ready) Requirement: Definition not according to any standard Downtime comparable to other accelerator equipment; maximum tens of operations per year Jan Uythoven, AB /BT LBDS Audit, 28 January 2008

The LBDS within the Machine Protection System Study of simplified Machine Protection System LBDS, BIC, BLM, QPS, PIC Absolute value of the unsafety and # false dumps depend critically on model assumptions Dependability studies were made for each sub-system Unsafety of the LBDS and availability comparable to the other systems: Unsafety 2 x 2.4 x 10-7 /year False dumps 2 x 4 /year Resulting safety number can be between SIL2 and SIL4 LBDS Safety > SIL 4 ! Jan Uythoven, AB /BT LBDS Audit, 28 January 2008

Calculation of the LBDS Dependability Numbers Ph.D thesis Roberto Filippini FMECA analysis More than 2100 failure modes at component levels Components failure rates from standard literature (Military Handbook) Arranged into 21 System Failure modes Operational Scenarios with State Transition Diagram for each Mission = 1 LHC fill State Transition Diagram for Sequence of Missions and checks Jan Uythoven, AB /BT LBDS Audit, 28 January 2008

No single point of failure should exist in the LBDS Fault Tolerant Design No single point of failure should exist in the LBDS Redundancy is introduced to allow failures up to a certain threshold Redundancy in components and in signal paths. Surveillance detects failures and issues a fail safe dump request. Redundancy 14 out of 15 MKD, 1 out of 2 MKD generator branches Surveillance Energy tracking, Retriggering 1 out of 4 MKBH, 1 out of 6 MKBV Energy tracking Energy tracking, Fast current change monitoring (MSD) 1 out of 2 trigger generation and distribution Synchronization tracking Reference energy taken from 4 Main Dipole circuits TX/RX error detection Voting of inputs Jan Uythoven, AB /BT LBDS Audit, 28 January 2008

Apportionment of Dependability Safety and number of false dumps are apportioned to the LBDS components. The MKD is the most complicated and critical system of the LBDS. It makes the largest contribution both to unsafety (75 %) and to the number of false dumps (60 %). Jan Uythoven, AB /BT LBDS Audit, 28 January 2008

Sensitivity to Fault Tolerant Design and Surveillance (ReTrig.System) All these systems are obligatory ! Jan Uythoven, AB /BT LBDS Audit, 28 January 2008

Sensitivity to Assumed Failure Rates Important for Safety Important for Availability Jan Uythoven, AB /BT LBDS Audit, 28 January 2008

Safety by Operation / Procedures Periodic checks to get back to a state which is ‘as good as new’ Failure rates of redundant systems increase in time – get back to zero (different from aging) Included in Dependability Calculations After each LHC beam dump the green light for injection is only given when Internal Post Operational Check (IPOC) is ok: MKD and MKB current waveforms Redundancy in current paths … External Post Operational Check (XPOC): Image on screen in front of beam dump Beam Loss Monitors in the extraction area and dump line Testing before operation Tests in the laboratory, before installation Tests once installed, before operation with beam Talk NM Talk EG Talk JU Jan Uythoven, AB /BT LBDS Audit, 28 January 2008

Conclusions The Beam Dumping System has been designed with Safety and Availability as design criteria Redundancy Surveillance Procedures A detailed dependability analysis has been made for the Beam Dumping System and other Machine Protection Subsystems Coherency within the Machine Protection System should lead to acceptable safety and availability of the MPS as a whole Beam Dumping System not a weak link of the MPS concerning safety Acceptable number of false beam dumps from the LBDS Within the Beam Dumping System Sensitivity to design parameters / redundancy shows that correct design choices seem to have been made To the ‘invited experts’ of the Audit to confirm (or not) Jan Uythoven, AB /BT LBDS Audit, 28 January 2008