1 / 11

Dependability Requirements of the LBDS and their Design Implications

This article discusses the dependability requirements of the LHC Machine Protection System and their design implications for the LBDS. It covers topics such as safety assessment, SIL ranking, availability, and fault-tolerant design. The article also includes a detailed dependability analysis of the LBDS and concludes that it is not a weak link in the MPS.

milburnm
Download Presentation

Dependability Requirements of the LBDS and their Design Implications

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Dependability Requirements of the LBDS and their Design Implications Jan Uythoven (AB/BT) References to work by R.Filippini (Ph.D. thesis) and Machine Protection Working Group

  2. Outline • Requirements on the LBDS in the context of the Machine Protection System • Dependability numbers for the MPS • Dependability numbers for the LBDS • Safe Design of the LBDS • Measures taken • Sensitivity • Procedures • Conclusions LBDS Audit, 28 January 2008

  3. Dependability Requirements of the LHC Machine Protection System • Safety Assessment (‘reliability’) • IEC 61508 standard defining the different Safety Integrity Levels (SIL) ranking from SIL1 to SIL4 • Based on Risk Classes = Consequence x Frequency • Machine Protection System for the LHC should be SIL3, taking definition of Protection Systems, with a probability of failure between 10-8 and 10-7 per hour (because of short mission times) • Catastrophy = beam should have been dumped and this did not take place; can possibly cause large damage • With 200 days of operation per year: 1/10-7 hours  1 failure every 2000 years • Availability • Definition: • Beam is dumped when it was not required • Operation can not take place because the protection system does not give the green light (is not ready) • Requirement: • Definition not according to any standard • Downtime comparable to other accelerator equipment; maximum tens of operations per year LBDS Audit, 28 January 2008

  4. The LBDS within the Machine Protection System • Study of simplified Machine Protection System • LBDS, BIC, BLM, QPS, PIC • Absolute value of the unsafety and # false dumps depend critically on model assumptions • Dependability studies were made for each sub-system • Unsafety of the LBDS and availability comparable to the other systems: • Unsafety 2 x 2.4 x 10-7 /year • False dumps 2 x 4 /year Resulting safety number can be between SIL2 and SIL4 LBDS Safety > SIL 4 ! LBDS Audit, 28 January 2008

  5. Calculation of the LBDS Dependability Numbers • Ph.D thesis Roberto Filippini • FMECA analysis • More than 2100 failure modes at component levels • Components failure rates from standard literature (Military Handbook) • Arranged into 21 System Failure modes • Operational Scenarios with State Transition Diagram for each Mission = 1 LHC fill • State Transition Diagram for Sequence of Missions and checks LBDS Audit, 28 January 2008

  6. Fault Tolerant Design Redundancy 14 out of 15 MKD, 1 out of 2 MKD generator branches Surveillance Energy tracking, Retriggering Surveillance Reference energy taken from 4 Main Dipole circuits TX/RX error detection Voting of inputs Surveillance Energy tracking, Fast current change monitoring (MSD) Redundancy 1 out of 2 trigger generation and distribution Surveillance Synchronization tracking Redundancy 1 out of 4 MKBH, 1 out of 6 MKBV Surveillance Energy tracking No single point of failure should exist in the LBDS • Redundancy is introduced to allow failures up to a certain threshold • Redundancy in components and in signal paths. • Surveillance detects failures and issues a fail safe dump request. LBDS Audit, 28 January 2008

  7. Apportionment of Dependability • Safety and number of false dumps are apportioned to the LBDS components. • The MKD is the most complicated and critical system of the LBDS. It makes the largest contribution both to unsafety (75 %) and to the number of false dumps (60 %). LBDS Audit, 28 January 2008

  8. Sensitivity to Fault Tolerant Design and Surveillance (ReTrig.System) All these systems are obligatory ! LBDS Audit, 28 January 2008

  9. Sensitivity to AssumedFailure Rates Important for Safety Important for Availability LBDS Audit, 28 January 2008

  10. Safety by Operation / Procedures • Periodic checks to get back to a state which is ‘as good as new’ • Failure rates of redundant systems increase in time – get back to zero (different from aging) • Included in Dependability Calculations • After each LHC beam dump the green light for injection is only given when • Internal Post Operational Check (IPOC) is ok: • MKD and MKB current waveforms • Redundancy in current paths • … • External Post Operational Check (XPOC): • MKD and MKB current waveforms • Image on screen in front of beam dump • Beam Loss Monitors in the extraction area and dump line • … • Testing before operation • Tests in the laboratory, before installation • Tests once installed, before operation with beam Talk NM Talk EG Talk JU LBDS Audit, 28 January 2008

  11. Conclusions • The Beam Dumping System has been designed with Safety and Availability as design criteria • Redundancy • Surveillance • Procedures • A detailed dependability analysis has been made for the Beam Dumping System and other Machine Protection Subsystems • Coherency within the Machine Protection System should lead to acceptable safety and availability of the MPS as a whole • Beam Dumping System not a weak link of the MPS concerning safety • Acceptable number of false beam dumps from the LBDS • Within the Beam Dumping System • Sensitivity to design parameters / redundancy shows that correct design choices seem to have been made To the ‘invited experts’ of the Audit to confirm (or not) LBDS Audit, 28 January 2008

More Related