1

Will We Ever Get The Will We Ever Get The Green Light For Beam Green Light For Beam

Operation?Operation?J. Uythoven & R. Filippini

For the Reliability Working GroupSub Working Group of the MPWG

Jan Uythoven, AB/BT

Chamonix@CERN 2005, Green Light

Page 2

Topics of the Topics of the PresentationPresentation

LHC Machine Protection System (MPS) Red/green light to LHC operations

Reliability concerns Safety and Availability

The simplified MPS studied Models, analysis and results

Comments and remarks Conclusions

Jan Uythoven, AB/BT

Chamonix@CERN 2005, Green Light

Page 3

Red light for beam operation: Normal dump request Planned end of physics run Or caused by an unsafe beam NOT caused by faulty equipment

Main tasks of MPS Transmission of beam dump request Execution of beam dump request

Historical Afraid of missing or bad execution of normal beam dump Historical concept of reliable beam dumping system:

1 failure per 100 years

Avoid Destruction Avoid Destruction Red LightRed Light

Jan Uythoven, AB/BT

Chamonix@CERN 2005, Green Light

Page 4

Allow OperationAllow OperationGreen LightGreen Light

Green light to start operation No green light to inject if not everything 100 % o.k. Dry beam dump first if necessary

Green light to continue operation Trigger of beam dump if something detected wrong in

equipment status: False beam dumps

False beam dump Caused by faulty equipment Caused by failures in surveillance system giving the

wrong diagnostics, leading to a beam dump

Jan Uythoven, AB/BT

Chamonix@CERN 2005, Green Light

Page 5

Aims of Machine Protection Aims of Machine Protection System AnalysisSystem Analysis

Availability of the MPS System available at any time t

during a fill No false dumps are allowed Unavailability in term of number of

false dumps per year

Safety of the MPS System available at any time t during a

fill False dumps are allowed, system

remains safe Unsafety in term of probability per year

The probability the system terminates its task without any consequences regarding injury, damage or loss of equipment.

The probability the system is performing the required function at a stated instant of time.

Jan Uythoven, AB/BT

Chamonix@CERN 2005, Green Light

Page 6

Machine Protection SystemMachine Protection SystemSimplified Architecture StudiedSimplified Architecture Studied

BISBeam Interlock System: BIC1 – BIC8

BIC xBeam Interlock Controller at point x

BLMBeam Loss Monitors

LBDSLHC Beam Dumping System

PICPower Interlock Controller

QPSQuench Protection System

Jan Uythoven, AB/BT

Chamonix@CERN 2005, Green Light

Page 7

Functional ArchitectureFunctional ArchitectureUsed for Reliability CalculationsUsed for Reliability Calculations

QPS

Systems available at a dump request from point x

PIC

BLM

BIC x BIC 6 LBDS

Systems to be available at any dump request

BIC 1Dump request from the control room

Jan Uythoven, AB/BT

Chamonix@CERN 2005, Green Light

Page 8

Assumptions for MPS Assumptions for MPS Reliability CalculationsReliability Calculations

Operational scenario Assume 200 days/year of operation, 10 hours per run followed by

post mortem, 400 fills per year For every beam dump LBDS + (BIC+BLM+PIC+QPS)point x

Conservative for safety calculations concerning BLM, PIC and QPS Realistic for availability calculations

Failure rates Assume constant failure rates Calculated in accordance to the Military Handbook 217F

Others The system may fail only when it operates It cannot be repaired if failed unsafe GAME OVER

The rate at which failure occurs as a function of time

Jan Uythoven, AB/BT

Chamonix@CERN 2005, Green Light

Page 9

Benefit of Post Mortem for Benefit of Post Mortem for Redundant SystemsRedundant Systems

Post mortem is performed every 10 hours. The system is recovered at full redundancy

Regeneration points Failure rate is lower bounded by the not redundant part

10-7/h

10-4 /h

10-4 /h

Jan Uythoven, AB/BT

Chamonix@CERN 2005, Green Light

Page 10

Assumptions for MPS Reliability Assumptions for MPS Reliability Calculations ContinuedCalculations Continued

Regeneration points depend on diagnostics effectiveness Benefits from diagnostic exist for all

redundant systems in the MPS

SYSTEM Partial regeneration As good as new

LBDS, BIC, PIC - Post mortem at every fill

QPS Post mortem at every fill Monthly inspection

BLM Post mortem at every fill Yearly overhaul

The instant when a system is recovered to a fault free state (as good as new)

Jan Uythoven, AB/BT

Chamonix@CERN 2005, Green Light

Page 11

Subsystem Analysis Subsystem Analysis LBDSLBDS

MKD

Q4,MSD

MKB

TDE

BEAM

LHC ring

Triggering + Re-

triggering

Dump trigger

RFPowering + Surveillanc

e

Dump request

BEM

Jan Uythoven, AB/BT

Chamonix@CERN 2005, Green Light

Page 12

State Transitions DiagramState Transitions DiagramLBDSLBDS

SAFETY = system available or failed safe

NO surveillance

Available Failed

Silent faults

Failedsafe

Undetected faultsDetected faults

Fail safe surveillance

Surveillance

Jan Uythoven, AB/BT

Chamonix@CERN 2005, Green Light

Page 13

Results for one LBDSResults for one LBDS

Results for the MKD kickers including the triggering/re-triggering systems and the powering surveillance

ONE LBDS Unsafety/year False dumps/year

The system 6.510-10 2.6

Safety bottleneck Triggering system at the BIC6 client interface

False dumps bottleneck Power triggers (power supplies)

Jan Uythoven, AB/BT

Chamonix@CERN 2005, Green Light

Page 14

Some PlotsSome Plots

Unsafety per year = 400 missions

False dumps distribution per year

Jan Uythoven, AB/BT

Chamonix@CERN 2005, Green Light

Page 15

Post Mortem for LBDSPost Mortem for LBDS

Post mortem benefit Analyzes the past fill and

recovers the system to as good as new state

Gives the local beam permit to the next LHC fill.

But Faulty post mortem may

seriously affect safety.

Note Post mortem process should

be fail safe (no beam permit is given).

LBDS failure rate with and without post mortem (over 10 consecutive missions)

With ..

Without post mortem

Jan Uythoven, AB/BT

Chamonix@CERN 2005, Green Light

Page 16

Results for the Results for the Simplified MPSSimplified MPS

System Unsafety/year False dumps/year Analysis including Not included

LBDS 6.5 10-10 (2X) 2.6 (2X) (Re-)triggering system,MKD (MIL-217F)

BET, BEM (assumptions)

MSD, Q4, MKB

TDE

BIC [BT]

7 10-4 1.6 User Boxes only (MIL-217F) BIC core, VME and permit loops

BLM

[GG]

1.7 10-3 4.8 Focused loss on single monitor

(MIL-217F, SPS data)

Design upgrades

PIC

[MZ]

5 10-4 1.5 One LHC sector (MIL-217F) Minor details

QPS

[AV]

4 10-4 14 Complete system (MIL-217F)

-

OVERALL RESULTS

MPS 0.0033 27 -

Jan Uythoven, AB/BT

Chamonix@CERN 2005, Green Light

Page 17

Comment on ResultsComment on ResultsSafetySafety

Probability of failing unsafe about every 300 years (Mean Time To Failure)

The punctual loss for the BLM is too conservative as a beam loss is likely to affect several monitors. If at least two monitors are concerned then BLM unsafety < 2.7510-6 per year instead of 1.710-3

Optimistic method of calculation BIC model only includes user boxes (= single point of failure) Many systems not included in the analysis

But most critical systems should be in Conservative method of calculation

Assumes all system have to be available for every beam dump The QPS, the PIC and the BLM are not always required

LBDS itself extremely safe Due to large redundancy in the active system and in the surveillance

system

Jan Uythoven, AB/BT

Chamonix@CERN 2005, Green Light

Page 18

Comments on ResultsComments on ResultsAvailabilityAvailability

27 false dumps per year expected 7 % of all fills Half of it expected to origin from the QPS

Generally Contribution of powering system within the MPS needs

to be assessed in more detail and could have been overestimated

Some systems still under development

Jan Uythoven, AB/BT

Chamonix@CERN 2005, Green Light

Page 19

Keeping in mindKeeping in mind

Results shown for a simplified model of the MPS Not in: beam position, RF, collimation system, post mortem Distinction on source of dump requests could be necessary Distinction on fraction of false dumps due to surveillance and

due to the actual equipment can be interesting Some calculations are preliminary (BIC) Sensitivity analyses

Availability also depends on systems outside the MPS Power converters, cryogenics, vacuum,…

Jan Uythoven, AB/BT

Chamonix@CERN 2005, Green Light

Page 20

Trading-off Trading-off Safety and AvailabilitySafety and Availability

The MPS is a trade-off Safety is the primary goal of the MPS while keeping the

Availability acceptable Many interlocks make the system safer BUT any faulty

interlock (fail-safe) reduces the availability of the system Therefore, Safety and Availability are correlated.

Safe beam flag Benefit: some interlocks are maskable during non critical

phases Operational freedom

Drawback: reliable tracking of phase changes is mandatory If it fails it must fail safe

Jan Uythoven, AB/BT

Chamonix@CERN 2005, Green Light

Page 21

ConclusionsConclusions Safety

Failing unsafe 3 /1000 years, Equivalent to 7.5 10-7/h and compatible with SIL2 (10-7/h) of

IEC-61508 standard for safety critical system Acceptable ?

Availability 27 false dumps per year, 7% the total Acceptable ?

Comments Simplified system Importance of post mortem Reliable safe beam flag

Acknowledgements:

Machine Protection Reliability Working Group