Presentation is loading. Please wait.

Presentation is loading. Please wait.

Will We Ever Get The Green Light For Beam Operation?

Similar presentations


Presentation on theme: "Will We Ever Get The Green Light For Beam Operation?"— Presentation transcript:

1 Will We Ever Get The Green Light For Beam Operation?
J. Uythoven & R. Filippini For the Reliability Working Group Sub Working Group of the MPWG

2 Topics of the Presentation
LHC Machine Protection System (MPS) Red / green light to LHC operations ‘Reliability’ concerns Safety and Availability The simplified MPS studied Models, analysis and results Comments and remarks Conclusions Jan Uythoven, AB/BT , Green Light

3 MPS: Avoid Damage Red Light
Red light for beam operation If we need to abort the beam, does it get dumped correctly? Safety Main tasks of MPS Transmission of beam dump request Execution of beam dump request Historical Afraid of missing or bad execution of a beam dump Historical concept of ‘reliable’ beam dumping system: 1 failure per 100 years Jan Uythoven, AB/BT , Green Light

4 MPS: Allow Operation Green Light
Green light for beam operation Does the MPS let us operate the machine? Availability False dump No green light due to Faulty ‘core equipment’ within the MPS Fault in the surveillance system within the MPS: False Alarm Jan Uythoven, AB/BT , Green Light

5 Aims of Machine Protection System Analysis
RELIABILITY: The probability that the system is performing the required function for a stated PERIOD OF TIME RELIABILITY The plane is reliable if it gets me to my destination, once it is in the air SAFETY: One engine of the airplane broke down, but it landed safely at a different airport AVAILIBILITY: The plane leaves on time – on demand Processes which are not continuous; repair the plane between flights Safety of the MPS System available on demand (at moment of dump request) False dumps are allowed, system remains safe Unsafety in terms of probability per year The probability that the system terminates its task without any consequences regarding damage or loss of equipment. The probability that the system is performing the required function at a stated instant of time. And what about RELIABILITY ? The ensemble is called DEPENDABILITY Availability of the MPS System available on demand (at moment of dump request) No false dumps are allowed Unavailability in term of number of false dumps per year Jan Uythoven, AB/BT , Green Light

6 Aims of Machine Protection System Analysis
Safety of the MPS System available on demand (at moment of dump request) False dumps are allowed, system remains safe Unsafety in terms of probability per year The probability that the system terminates its task without any consequences regarding damage or loss of equipment. The probability that the system is performing the required function at a stated instant of time. Availability of the MPS System available on demand (at moment of dump request) No false dumps are allowed Unavailability in term of number of false dumps per year Jan Uythoven, AB/BT , Green Light

7 Machine Protection System Simplified Architecture
BIS Beam Interlock System: BIC1 (R/L) – BIC8 (R/L) BIC x Beam Interlock Controller at point x (our definition) BLM Beam Loss Monitors LBDS LHC Beam Dumping System PIC Powering Interlock Controller QPS Quench Protection System Jan Uythoven, AB/BT , Green Light

8 Functional Architecture Used for the Calculations
BIC 1 Dump request from the control room QPS Systems available at a dump request from point x PIC BLM BIC x BIC 6L LBDS Systems to be available at any dump request BIC 6R Jan Uythoven, AB/BT , Green Light

9 Assumptions for MPS Calculations
Operational scenario Assume 200 days/year of operation, 10 hours per run followed by post mortem, 400 fills per year For every beam dump LBDS + (BIC+BLM+PIC+QPS)point x Conservative for safety calculations concerning BLM, PIC and QPS Realistic for availability calculations Failure rates Assume constant failure rates Calculated in accordance to the Military Handbook 217F Others The system may fail only when it operates It cannot be repaired if failed unsafe  GAME OVER The rate at which failure occurs as a function of time Jan Uythoven, AB/BT , Green Light

10 Benefit of Diagnostics for Redundant Systems
Diagnostics is performed every 10 hours (example) The system is recovered at full redundancy Regeneration points Failure rate is lower bounded by the non-redundant part 10-7/h 10-4 /h Jan Uythoven, AB/BT , Green Light

11 Assumptions for MPS Calculations … continued
Regeneration points depend on diagnostics effectiveness Benefits from diagnostic exist for all redundant systems in the MPS The instant when a system is recovered to a fault free state (as good as new) SYSTEM Partial regeneration As good as new LBDS, BIC, PIC - Post mortem at every fill QPS Power abort or monthly inspection BLM Yearly overhaul Jan Uythoven, AB/BT , Green Light

12 Subsystem Analysis LBDS
BEAM dumped BEAM in the LHC Powering + Surveillance Dump request BEM MKD Q4,MSD MKB TDE Triggering + Re-triggering Dump trigger RF Jan Uythoven, AB/BT , Green Light

13 State Transition Diagram LBDS
Failed safely Undetected faults Detected faults Surveillance SAFETY = available or failed safely Available Failed Silent faults False alarm Jan Uythoven, AB/BT , Green Light

14 Chamonix@CERN 2005, Green Light
Results for one LBDS Results for the MKD kickers including the triggering/re-triggering systems and the powering surveillance ONE LBDS Unsafety / year False dumps / year The system 1.410-7 2.6 (+/-1.6) Safety bottleneck MKD Magnets (coils + current cables): no surveillance False dumps bottleneck Power triggers (power supplies) Jan Uythoven, AB/BT , Green Light

15 Chamonix@CERN 2005, Green Light
Some Plots False dumps distribution per year Unsafety per year = 400 missions Jan Uythoven, AB/BT , Green Light

16 Chamonix@CERN 2005, Green Light
Post Mortem for LBDS Post mortem benefit Analyses the past fill and recovers the system to as good as new state Gives the local beam permit to the next LHC fill. Note Faulty post mortem may seriously affect safety. LBDS failure rate with and without post mortem (over 10 consecutive missions) Without post mortem With .. Jan Uythoven, AB/BT , Green Light

17 Results for the Simplified MPS
System Unsafety/year False dumps/year Average Std. Dev. Analysis including Not included LBDS [RF] 1.4 10-7 (2X) 2.6 (2X) (+/-1.6) (Re-)triggering system,MKD (MIL-217F) BET, BEM (assumptions) MSD, Q4, MKB TDE BIC [BT] 0.7 10-3 (+/-1.3) User Boxes only (MIL-217F) BIC core, VME and permit loops BLM [GG] 1.7 10-3 (+/-2.1) Focused loss on single monitor (MIL-217F, SPS data) Design upgrades PIC [MZ] 0.5 10-3 (+/-1.2) One LHC sector (MIL-217F) PLC QPS [AV] 0.4 10-3 (+/-2.7) Complete system (MIL-217F) Power converters for electronics OVERALL RESULTS MPS 3.3 10-3 (+/-10.5) - Jan Uythoven, AB/BT , Green Light

18 Comment on Results Safety
Probability of failing unsafe about 300 years (Mean Time To Failure) The punctual loss for the BLM is too conservative as a beam loss is likely to affect several monitors. If at least two monitors are concerned then BLM unsafety < 2.910-6 per year instead of 1.710-3 Optimistic method of calculation BIC model only includes user boxes (= single point of failure) Many systems not included in the analysis But most critical systems should be in Conservative method of calculation Assumes all systems (one of each) have to be available for every beam dump The QPS, the PIC and the BLM are not always required LBDS itself extremely safe Due to large redundancy in the active system and in the surveillance system Jan Uythoven, AB/BT , Green Light

19 Comments on Results Availability
20 false dumps per year expected 5 % of all fills (+/- 2.5% std. dev.) One third of it expected to origin from the QPS Calculations of availability based on About 3500 BLMs About 4000 channels for QPS 36 PIC and 16 BIC systems Generally Contribution of powering system within the MPS needs to be assessed in more detail and could have been overestimated For QPS power converters of electronics are not included. If included number of false quenches almost x 2 – see Chamonix 2003, p However, the pc could be doubled if found necessary ($) Some systems still under development Jan Uythoven, AB/BT , Green Light

20 Chamonix@CERN 2005, Green Light
Keeping in mind Results shown for a simplified model of the MPS Not in: beam position, RF, collimation system, post mortem Distinction on source of dump requests could be necessary Distinction on fraction of false dumps due to surveillance and due to the actual equipment can be interesting Some calculations are preliminary (BIC) Sensitivity analyses Availability also depends on systems outside the MPS Power converters, cryogenics, vacuum,… Jan Uythoven, AB/BT , Green Light

21 Trading-off Safety and Availability
The MPS is a trade-off Safety is the primary goal of the MPS while keeping the Availability acceptable Many interlocks make the system safer BUT any faulty interlock (fail-safe) reduces the availability of the system Therefore, Safety and Availability are correlated. Safe beam flag Benefit: some interlocks are maskable during non critical phases Operational freedom, increased availability Drawback: reliable tracking of phase changes is mandatory If it fails, it must fail safely Jan Uythoven, AB/BT , Green Light

22 Chamonix@CERN 2005, Green Light
Conclusions Safety Failing unsafe  3 /1000 years Equivalent to 7.5 10-7/h and compatible with SIL2 (10-7/h) of IEC standard for safety critical system Beam dumping system itself: 7 10-11/h: SIL4 Acceptable ? Availability coming from MPS  20 false dumps per year, 5 % of all fills Other systems ? Comments Simplified system Importance of post mortem Reliable safe beam flag Green Light from MPS:  95 % of the time Acknowledgements: Machine Protection Reliability Working Group Jan Uythoven, AB/BT , Green Light


Download ppt "Will We Ever Get The Green Light For Beam Operation?"

Similar presentations


Ads by Google