Presentation is loading. Please wait.

Presentation is loading. Please wait.

B. Todd, A. Apollonio, M. Kwiatkowski, R. Schmidt, S. Wagner, J. Walter a Risk-Based Approach 1v2 to Machine Protection Systems.

Published byBuck Clarke Modified over 8 years ago

Similar presentations

Presentation on theme: "B. Todd, A. Apollonio, M. Kwiatkowski, R. Schmidt, S. Wagner, J. Walter a Risk-Based Approach 1v2 to Machine Protection Systems."— Presentation transcript:

1 B. Todd, A. Apollonio, M. Kwiatkowski, R. Schmidt, S. Wagner, J. Walter a Risk-Based Approach 1v2 to Machine Protection Systems

2 CERN benjamin.todd@cern.ch Risk Based Approach to Machine Protection 1. Machine Protection in Context safety – protection – plant 2. Protection System Lifecycle assessing and specifying 3. Conclusions future work, and outlook Machine Protection fits between System Safety and Plant Systems assessment of powering system outlined, with risks & functions analysis of high risk failure cases life-cycle concept can be adapted from system safety to machine protection assessment of current implementations & specification of future

3 CERN benjamin.todd@cern.ch Safety – Protection – Plant 3 [11] Vacuum Pressure Vacuum Pump Speed Control Fulfill operational requirements Plant Systems: Vacuum Example: maintain correct pressure

4 CERN benjamin.todd@cern.ch Safety – Protection – Plant 4 [11] Vacuum Pressure Vacuum Pump Speed Control Vacuum Pressure Vacuum Valve Actuator Ensure plant stays within limits Plant Protection: Fulfill operational requirements Plant Systems: Vacuum Example: maintain correct pressure bad pressure = close valves

5 CERN benjamin.todd@cern.ch Safety – Protection – Plant 5 [11] Vacuum Pump Speed Control Vacuum Pressure Vacuum Valve Actuator Sensors, Actuators and Process may be combined No rules regarding combination Must meet functional requirement Ensure plant stays within limits Fulfill operational requirements Plant Systems:

6 CERN benjamin.todd@cern.ch Safety – Protection – Plant 6 [11] Access doors Beam absorbers personnel safe but machine at risk People in perimeter – stop machine Personnel Safety System: cannot be merged with plants Must meet legal requirement E.G. “function must meet IEC 61508 SIL 3”

7 CERN benjamin.todd@cern.ch Safety – Protection – Plant 7 [11] Prevent damage to machine Prevent undue stress to components Machine Protection System: No rules regarding implementation Must meet functional requirement

8 CERN benjamin.todd@cern.ch Safety – Protection – Plant 8 [11] powering protection closely coupled to powering plant Prevent damage to machine Prevent undue stress to components Machine Protection System: No rules regarding implementation Must meet functional requirement

9 CERN benjamin.todd@cern.ch Safety – Protection – Plant 9 [11] Personnel Safety System: Plant Systems: Machine Protection System: danger will exist – prevent – extract energy danger exists – protect – extract energy

10 CERN benjamin.todd@cern.ch Protection System Lifecycle

11 CERN benjamin.todd@cern.ch Inspired by IEC 61508 Protection System Lifecycle

12 CERN benjamin.todd@cern.ch Protection System Lifecycle Assess Existing Design System systems involved in protection are unique certain technologies used have never been tried on this scale before high cost of failure development and analysis of machine protection as if it were a safety system worked example Dipole Magnet Protection – 9GJ Protection System Lifecycle

13 CERN benjamin.todd@cern.ch CERN Protection System Lifecycle

14 CERN benjamin.todd@cern.ch 154 in series

15 CERN benjamin.todd@cern.ch QuenchDamage protectprevent 154 in series

16 CERN benjamin.todd@cern.ch Resistive zone appears in a magnet I 2 R losses begin Zone heats up (heat propagates to neighbouring magnets) Damage to magnets Hazard Chain: from Quench to Damage… Failure  Hazard Chain  Failure Catalogue 154 in series

17 CERN benjamin.todd@cern.ch Resistive zone appears in a magnet I 2 R losses begin Zone heats up (heat propagates to neighbouring magnets) Damage to magnets Hazard Chain: from Quench to Damage… What Protection Functions and Protection Systems are in place? Failure  Hazard Chain  Failure Catalogue prior experience deep thinking simulations prototyping 154 in series

18 CERN benjamin.todd@cern.ch when quench occurs… Failure  Hazard Chain  Failure Catalogue Turn off Power Converter = purple = 3 Propagate Quench = orange = 2 Extract Energy = purple = 3 Link Related Circuits = green = 1 prior experience deep thinking simulations prototyping

19 CERN benjamin.todd@cern.ch Detection Power Abort when quench occurs… Failure  Hazard Chain  Failure Catalogue Turn off Power Converter = purple = 3 Propagate Quench = orange = 2 Extract Energy = purple = 3 Link Related Circuits = green = 1 prior experience deep thinking simulations prototyping

20 CERN benjamin.todd@cern.ch Quench Heater when quench occurs… Failure  Hazard Chain  Failure Catalogue Turn off Power Converter = purple = 3 Propagate Quench = orange = 2 Extract Energy = purple = 3 Link Related Circuits = green = 1 prior experience deep thinking simulations prototyping

21 CERN benjamin.todd@cern.ch Resistor Extraction Switch when quench occurs… Failure  Hazard Chain  Failure Catalogue Turn off Power Converter = purple = 3 Propagate Quench = orange = 2 Extract Energy = purple = 3 Link Related Circuits = green = 1 prior experience deep thinking simulations prototyping Energy Extraction Loop

22 CERN benjamin.todd@cern.ch Powering Loop when quench occurs… Failure  Hazard Chain  Failure Catalogue Turn off Power Converter = purple = 3 Propagate Quench = orange = 2 Extract Energy = purple = 3 Link Related Circuits = green = 1 prior experience deep thinking simulations prototyping

23 CERN benjamin.todd@cern.ch when quench occurs… Failure  Hazard Chain  Failure Catalogue Turn off Power Converter = purple = 3 Propagate Quench = orange = 2 Extract Energy = purple = 3 Link Related Circuits = green = 1 prior experience deep thinking simulations prototyping Escape Diode

24 CERN benjamin.todd@cern.ch when quench occurs… Failure  Hazard Chain  Failure Catalogue Turn off Power Converter = purple = 3 Propagate Quench = orange = 2 Extract Energy = purple = 3 Link Related Circuits = green = 1 prior experience deep thinking simulations prototyping

25 CERN benjamin.todd@cern.ch classify probability and consequence using risk matrix risk, if function didn’t exist, according to system experts… Colour boundaries, probabilities, consequences machine dependent e.g. Annika’s Talk Turn off Power Converter = purple = 3 Propagate Quench = orange = 2 Extract Energy = purple = 3 Link Related Circuits = green = 1

26 CERN benjamin.todd@cern.ch classify probability and consequence using risk matrix risk, if function didn’t exist, according to system experts… Colour boundaries, probabilities, consequences machine dependent e.g. Annika’s Talk Turn off Power Converter = purple = 3 Propagate Quench = orange = 2 Extract Energy = purple = 3 Link Related Circuits = green = 1

27 CERN benjamin.todd@cern.ch Risk Matrix  Risk Catalogue Turn off Power Converter = purple = 3 Propagate Quench = orange = 2 Extract Energy = purple = 3 Link Related Circuits = green = 1

28 CERN benjamin.todd@cern.ch determine risk reduction level using matrix Turn off Power Converter = purple = 3 Propagate Quench = orange = 2 Extract Energy = purple = 3 Link Related Circuits = green = 1

29 CERN benjamin.todd@cern.ch = reliability requirements determine risk reduction level using matrix Turn off Power Converter = purple = 3 Propagate Quench = orange = 2 Extract Energy = purple = 3 Link Related Circuits = green = 1 RRL Matrix  RRL Catalogue

30 CERN benjamin.todd@cern.ch = reliability requirements RRL Matrix  RRL Catalogue Turn off Power Converter = purple = 3 Propagate Quench = orange = 2 Extract Energy = purple = 3 Link Related Circuits = green = 1 determine risk reduction level using matrix

31 CERN benjamin.todd@cern.ch RRL Matrix  RRL Catalogue Turn off Power Converter = purple = 3 Propagate Quench = orange = 2 Extract Energy = purple = 3 Link Related Circuits = green = 1

32 CERN benjamin.todd@cern.ch RRL Matrix  RRL Catalogue Turn off Power Converter = purple = 3 Propagate Quench = orange = 2 Extract Energy = purple = 3 Link Related Circuits = green = 1

33 CERN benjamin.todd@cern.ch expected  assess  actual? Turn off Power Converter = purple = 3 Propagate Quench = orange = 2 Extract Energy = purple = 3 Link Related Circuits = green = 1 Assess existing system implementation: coverage, quality … How do we qualify a system meets a level? How about programmable logic? See paper…

34 CERN benjamin.todd@cern.ch Turn off Power Converter = purple = 3 Propagate Quench = orange = 2 Extract Energy = purple = 3 Link Related Circuits = green = 1 Assess existing system implementation: coverage, quality … expected  assess  actual? How do we qualify a system meets a level? How about programmable logic? See paper…

35 CERN benjamin.todd@cern.ch Failure Case 1: September 2008

36 CERN benjamin.todd@cern.ch Failure Case 1: September 2008 36 commissioning circuit to 5 TeV = 9kA

37 CERN benjamin.todd@cern.ch Failure Case 1: September 2008 37 commissioning circuit to 5 TeV = 9kA

38 CERN benjamin.todd@cern.ch Failure Case 1: September 2008 38 commissioning circuit to 5 TeV = 9kA

39 CERN benjamin.todd@cern.ch Failure Case 1: September 2008 39 commissioning circuit to 5 TeV = 9kA Interconnect

40 CERN benjamin.todd@cern.ch Magnet Protection 40 Magnet Interconnect

41 CERN benjamin.todd@cern.ch Superconducting Cable Tin – Silver Foils Longditudinal View – filled with Solder Cross Section View Superconducting Cable Copper Stabiliser [1]

42 CERN benjamin.todd@cern.ch [1]

43 CERN benjamin.todd@cern.ch Magnet Protection 43 electrical arc punctures helium line [2]

44 CERN benjamin.todd@cern.ch Failure Case 1: September 2008 1. Pressure Wave propagates inside insulation vacuum enclosure 2. Rapid Pressure Rise Self actuating relief valves could not handle pressure Design: 2Kg He/s Incident: ~20 kg He/s 3. Forces on the vacuum barriers Design: 1.5 bar Incident: ~8 bar Quadrupoles Displaced by ~50 cm Cryogenic line connections damaged Vacuum to atmospheric pressure [1]

45 CERN benjamin.todd@cern.ch Incident location Dipole Bus bar [1]

46 CERN benjamin.todd@cern.ch Failure Case 1: September 2008 Quadrupole-dipole interconnection Quadrupole support Main Damage Area: 700m 39 dipoles 14 quadrupoles [1]

47 CERN benjamin.todd@cern.ch Hazard Chain had been identified in initial stages… Probability classified as negligible Risk Reduction Level was therefore minimum Installation did not conform …

48 CERN benjamin.todd@cern.ch 2009 - nQPS 48

49 CERN benjamin.todd@cern.ch 2009 - nQPS 49 Interconnect impedance is measured Energy Extracted if impedance unacceptable

50 CERN benjamin.todd@cern.ch 2009 - overall repair and consolidation 14 quadrupole magnets replaced 204 interconnections repaired 4km beam-tube cleaned longitudinal restraining system quadrupoles 900 ports for helium pressure release 6500 new detectors and 250km cables for new Interconnect Protection System collateral damage mitigation 39 dipole magnets replaced [1]

51 CERN benjamin.todd@cern.ch 2013-14: Interconnect Reworking [3, 4] 10170 interconnects to be re-worked…

52 CERN benjamin.todd@cern.ch 2013-14: Interconnect Reworking [1, 2] 10170 interconnects to be re-worked…

53 CERN benjamin.todd@cern.ch 2013-14: Interconnect Reworking [1, 2] 10170 interconnects to be re-worked…

54 CERN benjamin.todd@cern.ch Failure Case 2: January 2013

55 CERN benjamin.todd@cern.ch quench tests forced a quadrupole magnet quench, all four protection functions failed to activate Six months earlier a thunderstorm tripped several QPS detectors Piquet team needed to manually intervene to rearm Post-Analysis: mitigation of this need by new firmware, piquet did not intervene Firmware update was not applied to this particular circuit Post-Analysis: time and revalidation pressure Missing rearm does not prevent the circuit from being powered Circuit powered and unprotected for six months Event was repeated as failure of protection functions was not identified immediately Failure of this nature on dipole circuit represents most critical risk level for CERN.

56 CERN benjamin.todd@cern.ch QPS protection functions do not meet required RRL 1.Qualification of QPS Functions 2. Addition of Independent Energy Extraction Loop

57 CERN benjamin.todd@cern.ch In Conclusion…

58 CERN benjamin.todd@cern.ch Today: done using a deep-thinking argumentative approach Information is there, not organised

59 CERN benjamin.todd@cern.ch Today: done using a deep-thinking argumentative approach Information is there, not organised If we work outside to inside = protection assessment

60 CERN benjamin.todd@cern.ch Protection Functions  System Specifications Today: done using a deep-thinking argumentative approach Information is there, not organised If we work outside to inside = protection assessment If we work left to right = protection as a safety system build protection cases Stakeholders may want proof that their investment is secure e.g. Annika’s Talk

61 CERN benjamin.todd@cern.ch Fin! Thank You!

62 CERN benjamin.todd@cern.ch References P. LeBrun - LHC Performance Workshop 2009 http://indico.cern.ch/conferenceOtherViews.py?&confId=45433 http://indico.cern.ch/getFile.py/access?contribId=36&sessionId=0&resId=0&materialId=slides&confId=45433 [1] 62 Welding Interconnections on Sector 3-4, CERN Photography Service, http://cds.cern.ch/record/1225482#04 [2] J.-P. Tock - LHC Performance Workshop 2012 https://indico.cern.ch/conferenceOtherViews.py?&confId=164089 [3] CERN, EDMS Document #1171853[4]

Download ppt "B. Todd, A. Apollonio, M. Kwiatkowski, R. Schmidt, S. Wagner, J. Walter a Risk-Based Approach 1v2 to Machine Protection Systems."

Similar presentations

LHC Machine Protection

LHC Machine Protection
1S25 Arc Fault Monitor. 1S25 Arc Fault Monitor 1S25 Arc Fault Monitor Electrical arc short circuits in metal clad switchgear may occur for many different.

1S25 Arc Fault Monitor. 1S25 Arc Fault Monitor 1S25 Arc Fault Monitor Electrical arc short circuits in metal clad switchgear may occur for many different.
February 2009 Summary of Chamonix 09 Steve Myers.

February 2009 Summary of Chamonix 09 Steve Myers.
Click to edit Master title style Machine Protection and Interlocks CERN Accelerator School – May 2014 Machine

Click to edit Master title style Machine Protection and Interlocks CERN Accelerator School – May 2014 Machine
LHC UPS Systems and Configurations: Changes during the LS1 V. Chareyre / EN-EL LHC Beam Operation Committee 11 February 2014 EDMS No. 1354977111/02/2014.

LHC UPS Systems and Configurations: Changes during the LS1 V. Chareyre / EN-EL LHC Beam Operation Committee 11 February 2014 EDMS No /02/2014.
Concept & architecture of the machine protection systems for FCC

Concept & architecture of the machine protection systems for FCC
1 Superconducting Magnets for the MICE Channel Michael A. Green Oxford University Physics Department Oxford OX1-3RH, UK.

1 Superconducting Magnets for the MICE Channel Michael A. Green Oxford University Physics Department Oxford OX1-3RH, UK.
1 Where to Search for the Higgs  A direct search for the Higgs was carried out by the four LEP experiments from 1995-2000 CMS energy of 205-208 GeV The.

1 Where to Search for the Higgs  A direct search for the Higgs was carried out by the four LEP experiments from CMS energy of GeV The.
SWE Introduction to Software Engineering

SWE Introduction to Software Engineering
Machine Protection – ISSC 2010B. ToddAugust 2010 Thanks to : TE/MPE/MI, CERN Machine Protection Panel, et al 0v3 A Future Safety System?

Machine Protection – ISSC 2010B. ToddAugust 2010 Thanks to : TE/MPE/MI, CERN Machine Protection Panel, et al 0v3 A Future Safety System?
Systems Engineering Approach to MPS Risk Management Kelly Mahoney Presented at the Workshop for Machine Protection in Linear Accelerators.

Systems Engineering Approach to MPS Risk Management Kelly Mahoney Presented at the Workshop for Machine Protection in Linear Accelerators.
New HV test specification for the LHC N. Catalan for the EI section.

New HV test specification for the LHC N. Catalan for the EI section.
Laurent Tavian Thanks to contribution and helpful discussions with M. Jimenez, V. Parma, F. Bertinelli, J.Ph. Tock, R. van weelderen, S. Claudet, A. Perin,

Laurent Tavian Thanks to contribution and helpful discussions with M. Jimenez, V. Parma, F. Bertinelli, J.Ph. Tock, R. van weelderen, S. Claudet, A. Perin,
CRYOGENICS AND POWERING

CRYOGENICS AND POWERING
The Sector 3-4 incident at the LHC: fault tree and corrective measures Ph. Lebrun Risk Analysis Review Committee CERN, 5 March 2009.

The Sector 3-4 incident at the LHC: fault tree and corrective measures Ph. Lebrun Risk Analysis Review Committee CERN, 5 March 2009.
Helium Spill Test in LHC tunnel to define length of restricted working areas  Actual situation  Evolution  How to continue  Set-up of the spilling.

Helium Spill Test in LHC tunnel to define length of restricted working areas  Actual situation  Evolution  How to continue  Set-up of the spilling.
LHC Status ReportLHC Status Report Lyn Evans 96 th LHCC meeting, CERN 19 th November 2008.

LHC Status ReportLHC Status Report Lyn Evans 96 th LHCC meeting, CERN 19 th November 2008.
A. Verweij, TE-MPE. 3 Feb 2009, LHC Performance Workshop – Chamonix 2009 Arjan Verweij TE-MPE - joint stability - what was wrong with the ‘old’ bus-bar.

A. Verweij, TE-MPE. 3 Feb 2009, LHC Performance Workshop – Chamonix 2009 Arjan Verweij TE-MPE - joint stability - what was wrong with the ‘old’ bus-bar.
A. Siemko and N. Catalan Lasheras Insulation vacuum and beam vacuum overpressure release – V. Parma Bus bar joints stability and protection – A. Verweij.

A. Siemko and N. Catalan Lasheras Insulation vacuum and beam vacuum overpressure release – V. Parma Bus bar joints stability and protection – A. Verweij.
1 Second LHC Splice Review Copper Stabilizer Continuity Measurement possible QC tool for consolidated splices H. Thiesen 28 November 2011 K. Brodzinski,

1 Second LHC Splice Review Copper Stabilizer Continuity Measurement possible QC tool for consolidated splices H. Thiesen 28 November 2011 K. Brodzinski,

Similar presentations

Ads by Google