1 / 17

Machine Protection Panel for SIL3 Dependability Requirements

Ensuring safety and reliability at CERN's LHC with Machine Protection Panel based on IEC-61508 standards. Understand the failure types, redundancy needs, and FMECA analysis for dependable design.

wwilliams
Download Presentation

Machine Protection Panel for SIL3 Dependability Requirements

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Thanks to: Machine Protection Panel, R. Schmidt, B. Puccio, M. Zerlauth, J. Uythoven and many more… 0v2

  2. MPS Dependability Requirements MPS safety based on IEC-61508 - losses = downtime and repair cost SIL3 seemed highest obtainable realisitically 1 CHF = 1.1CAD Therefore needs SIL3 ( As Low As Reasonable Possible) Only a SUB-SET of the system needs to be SIL 3 Every failure will lead to beam losses! CERN, the LHC and Machine Protection

  3. Safe Sub-Set CERN, the LHC and Machine Protection

  4. Reliability Sub-Working Group Reliability Sub-Working Group established to study the sub-set… Assumptions made: Operational Scenario: 200 days = 400 x 10h missions + 2h checks Diagnostics Effectiveness: LHC Beam Dump System As Good As New after checks Beam Interlock System As Good As New after checks Beam Loss Monitors partially regenerated Quench Protection System regenerated periodically Power Interlock Controllers regenerated periodically Dump Request Apportionment: 60% are planned dumps (end physics) 15%fast beam losses 15% slow beam losses 10%other types of failure Redundancy: Beam Loss Monitors have no redundancy Work here thanks J.Uythoven & many others [16] CERN, the LHC and Machine Protection

  5. Failure Types and Apportionment Planned XPDR 60% Fast XBLFAST Dump Event Beam Dumped BLM BIS LBDS 15% Beam Loss XBLSLOW BLM 15% Slow Unforeseen QPS PIC 10% XOTHERS Other Work here thanks J.Uythoven & many others [16] CERN, the LHC and Machine Protection

  6. Reliability Sub-Working Group Planned XPDR 60% Fast XBLFAST Dump Event Beam Dumped BLM BIS LBDS 15% Newer figures in later talks Beam Loss XBLSLOW BLM 15% Slow Unforeseen QPS PIC 10% SIL3 10% XOTHERS Other Work here thanks J.Uythoven & many others [16] CERN, the LHC and Machine Protection

  7. BIS Dependable Design BIS has a dependability specification “…[BIS] must react to a single change in USER PERMIT by correctly actioning the relevant BEAM PERMIT with a safety better than or equal to Safety Integrity Level 3. Less than 1% of missions must be aborted due to failures in the Beam Interlock System...” High Safety High Reliability High Availability Maintainable High Dependability CERN, the LHC and Machine Protection

  8. So…BIS SIL3 or better?? = FMECA Failure Modes, Effects and Criticality Analysis In what way can something go wrong?… …when it does go wrong, what happens to the system?… …and just how much of a problem does this cause? CERN, the LHC and Machine Protection

  9. FMECA FMECAstarts at theComponent Levelof a system MIL-STD-1629 Break a largesysteminto blocks, defining smaller, manageablesub-systems get subsystemschematics, component list,andunderstandwhat it does MIL-HDBK-338 MIL-HDBK-217 get MTBFof each component on the list, derivePFAIL(mission) MIL-HDBK-338 FMD-97 derivefailure modesandfailure mode ratiosfor each component explain theeffect of each failure modeon both the subsystem and system determine theprobability of each failure modehappening. Drawconclusions! CERN, the LHC and Machine Protection

  10. FMECA Bill of Materials MIL-HDBK-217F or manufacturer FMD-97 MIL-HDBK-338 CERN, the LHC and Machine Protection

  11. FMECA Schematic multiply through Designer Knowledge MIL-HDBK-338 CERN, the LHC and Machine Protection

  12. Dependability vs. Configuration Hourly rate is based on MIL, Manufacturer etc. Extrapolation is non-trivial, whole MPS FMECA approach being verified by another PhD CERN, the LHC and Machine Protection

  13. Full Redundancy FMECA Results NE = No Effect M = Maintenance FD = False Dump BF = Blind Failure False Dump = unavailability Blind Failure = unsafety ~1% of all fills are lost due to a failure of the BIS SIL 4 CERN, the LHC and Machine Protection

  14. Hardware Design Flow Specification –including safety requirements Design –to meet specification FMECA … Signal Integrity Analysis –slew rate, impedance, connections Design for Testing–test coverage, test benching Design for Manufacture –layout, sizes, procurement Over sizing / Thermal considerations –layout, heating, packages Electro-Magnetic Compatibility Testing –shields, grounds, supplies, noise Radiation / Single Event Testing –Single Event Effects, Total Ionising Dose Build Test bench for each board –supplier contract depends on passed tests Power Soak –weeks in lab, switch on, fail? - return to manufacturer Controller Testing – Assemble complete controller 100% testbench Installation & Commissioning Operational Experience … Audited by internal / external reviewers … Finally have hardware system adhering to ALL requirements Should be constant failure rate – flat part of bathtub curve BUT!!! What about VHDL? How does that ‘fail’? Is our design complete? CERN, the LHC and Machine Protection

  15. FIN CERN, the LHC and Machine Protection

  16. Refences / Acknowledgements [1] CERN’s mission statement http://public.web.cern.ch/public/en/About/Mission-en.html [2] Aerial view of CERN http://cdsweb.cern.ch/record/39026 [3] LHC Machine Protection http://cern.ch/AccelConf/p07/PAPERS/TUZAC03.PDF [4] CERN photography http://cdsweb.cern.ch/ [5] CERN. LHC Cost and Schedule Review Committee Report, 15 December 2003. http://user.web.cern.ch/user/LHCCost/2003-12-15/CostScheduleReview2.pdf [6] CERN. ATLAS Technical Proposal for a General-Purpose pp Experiment at the LHC at CERN, 15 December 1994. http://atlas.web.cern.ch/Atlas/TP/NEW/HTML/tp9new/tp9.html [7] CERN. CMS Technical Proposal. [8] CERN. ALICE Technical Proposal for A Large Ion Collider Experiment at the CERN LHC, 15 December 1995. http://doc.cern.ch//archive/electronic/other/generic/public/cer-000214817.pdf [9] CERN. Status of the LHCb Experiment, 30 September 2005. http://lhcb-doc.web.cern.ch/lhcb-doc/progress/Source/RRB/October_2005/RRB_status.pdf [10] CERN. CERN AC Note 2000/03: General description of the CNGS Project, 2000. http://proj-cngs.web.cern.ch/proj-cngs/GeneralDescriptionVe/GDVe_p03.htm [11] CERN, LHC FAQ http://cdsweb.cern.ch/record/1092437/files/CERN-Brochure-2008-001-Eng.pdf CERN, the LHC and Machine Protection

  17. Refences / Acknowledgements [12] CERN - Scientific Information Service - Archive. Chronologie du CERN, 2005. http://library.cern.ch/archives/chrono/chrono_2002_cern.php [13] R. Assmann and other. requirements for the LHC collimation system. In Proceedings from EPAC’02, La Vilette, Paris, France, 3-7 June 2002. adapted from http://accelconf.web.cern.ch/AccelConf/e02/PAPERS/TUAGB001.pdf [14] V. Kain et al. Material damage test with 450 gev LHC-type beam. In Proceedings from PAC’05, Knoxville, TN, USA, 16-20 May 2005. http://accelconf.web.cern.ch/AccelConf/p05/PAPERS/RPPE018.PDF [15] R. Schmidt and J. Wenninger. Protection against accidental beam losses at the LHC. In Proceedings from PAC’05, Knoxville, TN, USA, 16-20 May 2005. http://epaper.kek.jp/p05/PAPERS/MOPA005.PDF [16] R. Filippini et al, RELIABILITY ASSESSMENT OF THE LHC MACHINE PROTECTION SYSTEM Proceedings from PAC’05, Knoxville, TN, USA, 16-20 May 2005. http://accelconf.web.cern.ch/AccelConf/p05/PAPERS/TPAP011.PDF CERN, the LHC and Machine Protection

More Related