Will We Ever Get The Green Light For Beam Operation? J. Uythoven & R. Filippini For the Reliability Working Group Sub Working Group of the MPWG
Topics of the Presentation LHC Machine Protection System (MPS) Red / green light to LHC operations ‘Reliability’ concerns Safety and Availability The simplified MPS studied Models, analysis and results Comments and remarks Conclusions Jan Uythoven, AB/BT Chamonix@CERN 2005, Green Light
MPS: Avoid Damage Red Light Red light for beam operation If we need to abort the beam, does it get dumped correctly? Safety Main tasks of MPS Transmission of beam dump request Execution of beam dump request Historical Afraid of missing or bad execution of a beam dump Historical concept of ‘reliable’ beam dumping system: 1 failure per 100 years Jan Uythoven, AB/BT Chamonix@CERN 2005, Green Light
MPS: Allow Operation Green Light Green light for beam operation Does the MPS let us operate the machine? Availability False dump No green light due to Faulty ‘core equipment’ within the MPS Fault in the surveillance system within the MPS: False Alarm Jan Uythoven, AB/BT Chamonix@CERN 2005, Green Light
Aims of Machine Protection System Analysis RELIABILITY: The probability that the system is performing the required function for a stated PERIOD OF TIME RELIABILITY The plane is reliable if it gets me to my destination, once it is in the air SAFETY: One engine of the airplane broke down, but it landed safely at a different airport AVAILIBILITY: The plane leaves on time – on demand Processes which are not continuous; repair the plane between flights Safety of the MPS System available on demand (at moment of dump request) False dumps are allowed, system remains safe Unsafety in terms of probability per year The probability that the system terminates its task without any consequences regarding damage or loss of equipment. The probability that the system is performing the required function at a stated instant of time. And what about RELIABILITY ? The ensemble is called DEPENDABILITY Availability of the MPS System available on demand (at moment of dump request) No false dumps are allowed Unavailability in term of number of false dumps per year Jan Uythoven, AB/BT Chamonix@CERN 2005, Green Light
Aims of Machine Protection System Analysis Safety of the MPS System available on demand (at moment of dump request) False dumps are allowed, system remains safe Unsafety in terms of probability per year The probability that the system terminates its task without any consequences regarding damage or loss of equipment. The probability that the system is performing the required function at a stated instant of time. Availability of the MPS System available on demand (at moment of dump request) No false dumps are allowed Unavailability in term of number of false dumps per year Jan Uythoven, AB/BT Chamonix@CERN 2005, Green Light
Machine Protection System Simplified Architecture BIS Beam Interlock System: BIC1 (R/L) – BIC8 (R/L) BIC x Beam Interlock Controller at point x (our definition) BLM Beam Loss Monitors LBDS LHC Beam Dumping System PIC Powering Interlock Controller QPS Quench Protection System Jan Uythoven, AB/BT Chamonix@CERN 2005, Green Light
Functional Architecture Used for the Calculations BIC 1 Dump request from the control room QPS Systems available at a dump request from point x PIC BLM BIC x BIC 6L LBDS Systems to be available at any dump request BIC 6R Jan Uythoven, AB/BT Chamonix@CERN 2005, Green Light
Assumptions for MPS Calculations Operational scenario Assume 200 days/year of operation, 10 hours per run followed by post mortem, 400 fills per year For every beam dump LBDS + (BIC+BLM+PIC+QPS)point x Conservative for safety calculations concerning BLM, PIC and QPS Realistic for availability calculations Failure rates Assume constant failure rates Calculated in accordance to the Military Handbook 217F Others The system may fail only when it operates It cannot be repaired if failed unsafe GAME OVER The rate at which failure occurs as a function of time Jan Uythoven, AB/BT Chamonix@CERN 2005, Green Light
Benefit of Diagnostics for Redundant Systems Diagnostics is performed every 10 hours (example) The system is recovered at full redundancy Regeneration points Failure rate is lower bounded by the non-redundant part 10-7/h 10-4 /h Jan Uythoven, AB/BT Chamonix@CERN 2005, Green Light
Assumptions for MPS Calculations … continued Regeneration points depend on diagnostics effectiveness Benefits from diagnostic exist for all redundant systems in the MPS The instant when a system is recovered to a fault free state (as good as new) SYSTEM Partial regeneration As good as new LBDS, BIC, PIC - Post mortem at every fill QPS Power abort or monthly inspection BLM Yearly overhaul Jan Uythoven, AB/BT Chamonix@CERN 2005, Green Light
Subsystem Analysis LBDS BEAM dumped BEAM in the LHC Powering + Surveillance Dump request BEM MKD Q4,MSD MKB TDE Triggering + Re-triggering Dump trigger RF Jan Uythoven, AB/BT Chamonix@CERN 2005, Green Light
State Transition Diagram LBDS Failed safely Undetected faults Detected faults Surveillance SAFETY = available or failed safely Available Failed Silent faults False alarm Jan Uythoven, AB/BT Chamonix@CERN 2005, Green Light
Chamonix@CERN 2005, Green Light Results for one LBDS Results for the MKD kickers including the triggering/re-triggering systems and the powering surveillance ONE LBDS Unsafety / year False dumps / year The system 1.410-7 2.6 (+/-1.6) Safety bottleneck MKD Magnets (coils + current cables): no surveillance False dumps bottleneck Power triggers (power supplies) Jan Uythoven, AB/BT Chamonix@CERN 2005, Green Light
Chamonix@CERN 2005, Green Light Some Plots False dumps distribution per year Unsafety per year = 400 missions Jan Uythoven, AB/BT Chamonix@CERN 2005, Green Light
Chamonix@CERN 2005, Green Light Post Mortem for LBDS Post mortem benefit Analyses the past fill and recovers the system to as good as new state Gives the local beam permit to the next LHC fill. Note Faulty post mortem may seriously affect safety. LBDS failure rate with and without post mortem (over 10 consecutive missions) Without post mortem With .. Jan Uythoven, AB/BT Chamonix@CERN 2005, Green Light
Results for the Simplified MPS System Unsafety/year False dumps/year Average Std. Dev. Analysis including Not included LBDS [RF] 1.4 10-7 (2X) 2.6 (2X) (+/-1.6) (Re-)triggering system,MKD (MIL-217F) BET, BEM (assumptions) MSD, Q4, MKB TDE BIC [BT] 0.7 10-3 1.6 (+/-1.3) User Boxes only (MIL-217F) BIC core, VME and permit loops BLM [GG] 1.7 10-3 4.8 (+/-2.1) Focused loss on single monitor (MIL-217F, SPS data) Design upgrades PIC [MZ] 0.5 10-3 1.5 (+/-1.2) One LHC sector (MIL-217F) PLC QPS [AV] 0.4 10-3 7.7 (+/-2.7) Complete system (MIL-217F) Power converters for electronics OVERALL RESULTS MPS 3.3 10-3 20.6 (+/-10.5) - Jan Uythoven, AB/BT Chamonix@CERN 2005, Green Light
Comment on Results Safety Probability of failing unsafe about 300 years (Mean Time To Failure) The punctual loss for the BLM is too conservative as a beam loss is likely to affect several monitors. If at least two monitors are concerned then BLM unsafety < 2.910-6 per year instead of 1.710-3 Optimistic method of calculation BIC model only includes user boxes (= single point of failure) Many systems not included in the analysis But most critical systems should be in Conservative method of calculation Assumes all systems (one of each) have to be available for every beam dump The QPS, the PIC and the BLM are not always required LBDS itself extremely safe Due to large redundancy in the active system and in the surveillance system Jan Uythoven, AB/BT Chamonix@CERN 2005, Green Light
Comments on Results Availability 20 false dumps per year expected 5 % of all fills (+/- 2.5% std. dev.) One third of it expected to origin from the QPS Calculations of availability based on About 3500 BLMs About 4000 channels for QPS 36 PIC and 16 BIC systems Generally Contribution of powering system within the MPS needs to be assessed in more detail and could have been overestimated For QPS power converters of electronics are not included. If included number of false quenches almost x 2 – see Chamonix 2003, p. 209. However, the pc could be doubled if found necessary ($) Some systems still under development Jan Uythoven, AB/BT Chamonix@CERN 2005, Green Light
Chamonix@CERN 2005, Green Light Keeping in mind Results shown for a simplified model of the MPS Not in: beam position, RF, collimation system, post mortem Distinction on source of dump requests could be necessary Distinction on fraction of false dumps due to surveillance and due to the actual equipment can be interesting Some calculations are preliminary (BIC) Sensitivity analyses Availability also depends on systems outside the MPS Power converters, cryogenics, vacuum,… Jan Uythoven, AB/BT Chamonix@CERN 2005, Green Light
Trading-off Safety and Availability The MPS is a trade-off Safety is the primary goal of the MPS while keeping the Availability acceptable Many interlocks make the system safer BUT any faulty interlock (fail-safe) reduces the availability of the system Therefore, Safety and Availability are correlated. Safe beam flag Benefit: some interlocks are maskable during non critical phases Operational freedom, increased availability Drawback: reliable tracking of phase changes is mandatory If it fails, it must fail safely Jan Uythoven, AB/BT Chamonix@CERN 2005, Green Light
Chamonix@CERN 2005, Green Light Conclusions Safety Failing unsafe 3 /1000 years Equivalent to 7.5 10-7/h and compatible with SIL2 (10-7/h) of IEC-61508 standard for safety critical system Beam dumping system itself: 7 10-11/h: SIL4 Acceptable ? Availability coming from MPS 20 false dumps per year, 5 % of all fills Other systems ? Comments Simplified system Importance of post mortem Reliable safe beam flag Green Light from MPS: 95 % of the time Acknowledgements: Machine Protection Reliability Working Group Jan Uythoven, AB/BT Chamonix@CERN 2005, Green Light