1 / 29

1v0

1v0. CIBU Failure Explanation. 1. Background CIBU Input Circuits Installation Rules MI Stance. 2. Before the Incident Vacuum System as Tested Conformity Functional Testing. 3. The Incident Modified Interconnection Failure in the CIBU Report of Non-Conformities. 4. Future Goals

zan
Download Presentation

1v0

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 1v0

  2. CIBU Failure Explanation 1. Background • CIBU Input Circuits • Installation Rules • MI Stance 2. Before the Incident • Vacuum System as Tested • Conformity • Functional Testing 3. The Incident • Modified Interconnection • Failure in the CIBU • Report of Non-Conformities 4. Future Goals • Connection Specification • Improvements to Interfaces • Automated Test Sequences LHC Beam Interlock System

  3. Background • Machine Interlocks Section • Develop fail-safe dependable hardware • Testing / failure modes analysis of all critical hardware • Audited / reviewed internally and externally • We commit to • Be open and honest with you about our work • Share our experiences openly (both bad & good) • Be completely open to critique / criticism • Optimise the balance safety versus physics • If ever we find weaknesses in our designs effecting safety • We will present the findings to MPP and stop the LHC until issues can be solved • Every experience is fed back into the design • Everyone’s opinioncounts. • This is an example of this commitment to you – no blame to be assigned! • Quite the opposite! • We can use this to improve our designs - Let’s take a look… LHC Beam Interlock System

  4. The User Interface (CIBU) • User System to Beam Interlock System connection • Unique Hardware for All Users • Current Loops • Redundant Circuits • Tested to CIBU Output Connector Internally using BIS TEST • Need USER SYSTEM Test for full coverage CIBU is used in the whole accelerator complex Many CIBU-Hours of operation for statistics Around 2e6 unit-hours - SPS since 2006 Link Specified in: https://edms.cern.ch/document/636589/1.4 Until this year – NO failures on critical paths LHC Beam Interlock System

  5. The User Interface (CIBU) User Interface (CIBU) User System to Controller LHC Beam Interlock System

  6. CIBU Input Circuit User System User Interface (CIBU) to Controller LHC Beam Interlock System

  7. CIBU Input Circuit User System User Interface (CIBU) to Controller LHC Beam Interlock System

  8. CIBU Input Circuit User System User Interface (CIBU) to Controller LHC Beam Interlock System

  9. CIBU Input Circuit User System User Interface (CIBU) to Controller LHC Beam Interlock System

  10. CIBU Input Circuit LHC Beam Interlock System

  11. Timescale • 7th August 2008 • No Beam In the Machine • Final Commissioning Vacuum System to Beam Interlock System • Vacuum Valves moved IN around IR3 • Vacuum UJ33 USER_PERMIT_A stayed TRUE • Vacuum UJ33 USER_PERMIT_B stayed TRUE • BIC Test Mode showed ALL OK • Commissioning Fail LHC Beam Interlock System

  12. As Tested July 08 LHC Beam Interlock System

  13. EIS • Between July and August • EIS (Elément Important de Sécurité) • Added to Interlock Logic • EIS controlled by Access System (Personnel Protection Device) • 3. Access System connected to BIS via Vacuum System MI were not aware of this cabling change LHC Beam Interlock System

  14. August 08 - After Incident LHC Beam Interlock System

  15. August 08 - After Incident 46 Signals From other equipment 6 floating wires Surface IR3 100m PLC = 48V Not Enclosed 2m to Lift Motor 1m to GSM Repeater WHEN CONNECTED CIBU ALWAYS TRUE (next slides) LHC Beam Interlock System

  16. What was the mechanism? Access – Connected Panel to Surface PLC incorrectly initially …took several attempts … LHC Beam Interlock System

  17. What was the mechanism? LHC Beam Interlock System

  18. What was the mechanism? LHC Beam Interlock System

  19. What was the mechanism? LHC Beam Interlock System

  20. What was the mechanism? LHC Beam Interlock System

  21. What was the mechanism? LHC Beam Interlock System

  22. What was the mechanism? LHC Beam Interlock System

  23. What was the mechanism? LHC Beam Interlock System

  24. In Summary Several events = complete Blind Failure • Two Equipment systems sharing the same channel • PLC Voltage against rules • TVS Blocked Short-Circuit • Inputs were not redundant • Not re-commissioned by MI after a significant change In addition… a) Cable length against rules b) EMC would have been a show-stopper anyway! LHC Beam Interlock System

  25. Future Work Shows weaknesses in the interconnection conception: • No redundancy = No SIL • Can a GND short be mitigated? • Human Error can never be 100% eradicated – • Testing before each fill should be possible if in doubt! For each User System • Change to use full redundancy • Change so a GND fault doesn’t fail blind • Automated Test from User Side A /= B LHC Beam Interlock System

  26. FIN LHC Beam Interlock System

  27. CIBU Failure Explanation 1. Background • CIBU Input Circuits • Installation Rules • MI Stance 2. Before the Incident • Vacuum System as Tested • Conformity • Functional Testing 3. The Incident • Modified Interconnection • Failure in the CIBU • Report of Non-Conformities 4. Future Goals • Connection Specification • Improvements to Interfaces • Automated Test Sequences LHC Beam Interlock System

  28. Incident 1. Background • CIBU Input Circuits • Installation Rules • MI Stance 2. Before the Incident • Vacuum System as Tested • Conformity • Functional Testing 3. The Incident • Modified Interconnection • Failure in the CIBU • Report of Non-Conformities 4. Future Goals • Connection Specification • Improvements to Interfaces • Automated Test Sequences LHC Beam Interlock System

  29. Future Goals 1. Background • CIBU Input Circuits • Installation Rules • MI Stance 2. Before the Incident • Vacuum System as Tested • Conformity • Functional Testing 3. The Incident • Modified Interconnection • Failure in the CIBU • Report of Non-Conformities 4. Future Goals • Connection Specification • Improvements to Interfaces • Automated Test Sequences LHC Beam Interlock System

More Related