Vegard Joa Moseng BI - BL Student meeting Reliability analysis of the Input Monitor in the BLEDP
From «The new BLM system for the injector complex» BI DAY 2012 – William Viganò Overview:
The circuit:
Measurement Methods The input monitoring system has two different measurement levels. One is the Fully Differential Frequency Converter (FDFC) which measures detector output currents from 10pA to 30mA. In this measurement method, the ADC is attached to the diff. output of an integrator in the input monitor. The other is the Direct ADC Acquisition (DADC) which measure detector output currents from 80uA to 200mA. The ADC is attached to an input resistor on which the voltage drop is measured. Operation The input monitor is responsible for processing the information by the monitors, into a value that is usable for the FPGA and its algorithms. About the Input Monitor circuit
Criticality For each detector connected to the BLEDP, there is one input monitor circuit and one ADC. There is therefore 8 input monitor and ADC circuits per BLEDP. The input monitor and the ADC is critical for the operation of both the measurement methods, and is thus critical for one channel in the BLEDP. Therefore, the loss of an ADC is equivalent to the loss of a detector. The Input Monitor and the ADC have two main failure modes that affect the operation of the BLEDP; complete failure (no output), and erroneous output (from either internal failures or erroneous inputs). Detection As a part of the new acquisition system, an improved connectivity check is planned to be implemented which is capable of frequently testing the entire detector supply chain. This should therefore be able to detect a erroneous output by it’s reference current. This will however not indicate explicitly that the ADC is giving erroneous outputs but it will be sufficient for a false dump to take place and the changing of the BLEDP card, and thus maintaining the operation of the machines without there being a blind failure. Integration in the system
The block arrangement To simplify the analyses and to make it easier for the readers to identify important information, the report is constructed in blocks rather than components. For the blocks, the important failure modes for the individual components have been added to make sure all components have been evaluated and that the crucial information is preserved in the report. The blocks are (FM = Failure modes – 117 in total): 1.Digital potentiometer block (5 FM) 2.Saturation monitoring block (17 FM) 3.Stop function block (4 FM) 4.Switch FDFC / DADC to ADC block (4 FM) 5.Buffer amplifier block (14 FM) 6.Voltage reference generator block (7 FM) 7.Comparators block (13 FM) 8.Flip-Flop block (9 FM) 9.Offset current and detector input block (9 FM) 10.Switch FDFC - DADC to Input Switch (4 FM) 11.Input switch block (4 FM) 12.Fully differential integrator block (12 FM) 13.Power supply for digital potentiometer block (4 FM) 14.Input voltage filtering block (3 FM) 15.Other filtering blocks (8 FM) Block system
MTTF: The value is for a single circuit. For the BLEDP the card will have 8 Input Monitor and ADC circuits, which means that the overall MTTF for the BLEDP will be a weighted average of all the circuits. Failure rate (1x Input Monitor): 2.757E-06 MTTF in hours: 3.627E+5 MTTF in years: ~41 years Severity ranking 1. No effect: Non-critical failure such as filtering. 2. Maintenance: Failure in redundant components and other failures that allow for continued operation but should be fixed as soon as possible. 3. False dump: Failures that causes loss of critical functionality and/or safety, will cause the system to abort (dump the beam). 4. Blind failure: Failures where you are unable to detect erroneous information, or where you have no protection when you expect to have. Reliability analysis
Risk Priority Numbers Total: Severity = 351 Occurrence = 1 Detection = 1 RPN = (3x1x1)117 = 351
Comments A total of 117 failure modes for random failures in the Input monitor circuit will cause a failure inconsistent with a good operation and in most cases these will cause the beam to be dumped in the next possible dump site. However, the individual probability of the failures are so low that they are considered highly unlikely. Satisfactory detection is also implemented, meaning there are no failures that will manifest as a blind failure. Given the overall low probability and reliability focused design, no special action is warranted.