210 likes | 367 Views
Will We Ever Get The Green Light For Beam Operation?. J. Uythoven & R. Filippini For the Reliability Working Group Sub Working Group of the MPWG. Topics of the Presentation. LHC Machine Protection System (MPS) Red/green light to LHC operations Reliability concerns Safety and Availability
E N D
Will We Ever Get The Green Light For Beam Operation? J. Uythoven & R. FilippiniFor the Reliability Working GroupSub Working Group of the MPWG
Topics of the Presentation • LHC Machine Protection System (MPS) • Red/green light to LHC operations • Reliability concerns • Safety and Availability • The simplified MPS studied • Models, analysis and results • Comments and remarks • Conclusions Chamonix@CERN 2005, Green Light
Avoid Destruction Red Light • Red light for beam operation: Normal dump request • Planned end of physics run • Or caused by an unsafe beam • NOT caused by faulty equipment • Main tasks of MPS • Transmission of beam dump request • Execution of beam dump request • Historical • Afraid of missing or bad execution of normal beam dump • Historical concept of reliable beam dumping system: 1 failure per 100 years Chamonix@CERN 2005, Green Light
Allow OperationGreen Light • Green light to start operation • No green light to inject if not everything 100 % o.k. • Dry beam dump first if necessary • Green light to continue operation • Trigger of beam dump if something detected wrong in equipment status: False beam dumps • False beam dump • Caused by faulty equipment • Caused by failures in surveillance system giving the wrong diagnostics, leading to a beam dump Chamonix@CERN 2005, Green Light
The probability the system terminates its task without any consequences regarding injury, damage or loss of equipment. The probability the system is performing the required function at a stated instant of time. Aims of Machine Protection System Analysis • Availability of the MPS • System available at any time t during a fill • No false dumps are allowed • Unavailability in term of number of false dumps per year • Safety of the MPS • System available at any time t during a fill • False dumps are allowed, system remains safe • Unsafety in term of probability per year Chamonix@CERN 2005, Green Light
Machine Protection SystemSimplified Architecture Studied Chamonix@CERN 2005, Green Light
Dump request from the control room BIC 1 QPS PIC BIC x BIC 6 LBDS BLM Systems available at a dump request from point x Systems to be available at any dump request Functional ArchitectureUsed for Reliability Calculations Chamonix@CERN 2005, Green Light
The rate at which failure occurs as a function of time Assumptions for MPS Reliability Calculations • Operational scenario • Assume 200 days/year of operation, 10 hours per run followed by post mortem, 400 fills per year • For every beam dump LBDS + (BIC+BLM+PIC+QPS)point x • Conservative for safety calculations concerning BLM, PIC and QPS • Realistic for availability calculations • Failure rates • Assume constant failure rates • Calculated in accordance to the Military Handbook 217F • Others • The system may fail only when it operates • It cannot be repaired if failed unsafe GAME OVER Chamonix@CERN 2005, Green Light
10-4 /h 10-7/h 10-4 /h Benefit of Post Mortem for Redundant Systems • Post mortem is performed every 10 hours. • The system is recovered at full redundancy • Regeneration points • Failure rate is lower bounded by the not redundant part Chamonix@CERN 2005, Green Light
The instant when a system is recovered to a fault free state (as good as new) Assumptions for MPS Reliability Calculations Continued • Regeneration points depend on diagnostics effectiveness • Benefits from diagnostic exist for all redundant systems in the MPS Chamonix@CERN 2005, Green Light
BEAM Powering + Surveillance Triggering + Re-triggering RF BEM MKD Q4,MSD MKB Dump trigger Dump request LHC ring TDE Subsystem Analysis LBDS Chamonix@CERN 2005, Green Light
Surveillance Detected faults Undetected faults Failed safe Available Failed Silent faults Fail safe surveillance State Transitions DiagramLBDS NO surveillance SAFETY = system available or failed safe Chamonix@CERN 2005, Green Light
Results for one LBDS • Results for the MKD kickers including the triggering/re-triggering systems and the powering surveillance Chamonix@CERN 2005, Green Light
Some Plots False dumps distribution per year Unsafety per year = 400 missions Chamonix@CERN 2005, Green Light
Without post mortem With .. Post Mortem for LBDS • Post mortem benefit • Analyzes the past fill and recovers the system to as good as new state • Gives the local beam permit to the next LHC fill. • But • Faulty post mortem may seriously affect safety. • Note • Post mortem process should be fail safe (no beam permit is given). LBDS failure rate with and without post mortem (over 10 consecutive missions) Chamonix@CERN 2005, Green Light
Results for the Simplified MPS Chamonix@CERN 2005, Green Light
Comment on ResultsSafety • Probability of failing unsafe about every 300 years (Mean Time To Failure) • The punctual loss for the BLM is too conservative as a beam loss is likely to affect several monitors. If at least two monitors are concerned then BLM unsafety < 2.7510-6 per year instead of 1.710-3 • Optimistic method of calculation • BIC model only includes user boxes (= single point of failure) • Many systems not included in the analysis • But most critical systems should be in • Conservative method of calculation • Assumes all system have to be available for every beam dump • The QPS, the PIC and the BLM are not always required • LBDS itself extremely safe • Due to large redundancy in the active system and in the surveillance system Chamonix@CERN 2005, Green Light
Comments on ResultsAvailability • 27 false dumps per year expected • 7 % of all fills • Half of it expected to origin from the QPS • Generally • Contribution of powering system within the MPS needs to be assessed in more detail and could have been overestimated • Some systems still under development Chamonix@CERN 2005, Green Light
Keeping in mind • Results shown for a simplified model of the MPS • Not in: beam position, RF, collimation system, post mortem • Distinction on source of dump requests could be necessary • Distinction on fraction of false dumps due to surveillance and due to the actual equipment can be interesting • Some calculations are preliminary (BIC) • Sensitivity analyses • Availability also depends on systems outside the MPS • Power converters, cryogenics, vacuum,… Chamonix@CERN 2005, Green Light
Trading-off Safety and Availability • The MPS is a trade-off • Safety is the primary goal of the MPS while keeping the Availability acceptable • Many interlocks make the system safer BUT any faulty interlock (fail-safe) reduces the availability of the system • Therefore, Safety and Availability are correlated. • Safe beam flag • Benefit: some interlocks are maskable during non critical phases • Operational freedom • Drawback: reliable tracking of phase changes is mandatory • If it fails it must fail safe Chamonix@CERN 2005, Green Light
Conclusions • Safety • Failing unsafe 3 /1000 years, • Equivalent to 7.5 10-7/h and compatible with SIL2 (10-7/h) of IEC-61508 standard for safety critical system • Acceptable ? • Availability • 27 false dumps per year, 7% the total • Acceptable ? • Comments • Simplified system • Importance of post mortem • Reliable safe beam flag Acknowledgements: Machine Protection Reliability Working Group Chamonix@CERN 2005, Green Light