1 Will We Ever Get The Green Light For Beam Operation? J. Uythoven & R. Filippini For the Reliability Working Group Sub Working Group of the MPWG

Jan Uythoven, 2005, Green Light Page 2 Topics of the Presentation  LHC Machine Protection System (MPS)  Red / green light to LHC operations  ‘Reliability’ concerns  Safety and Availability  The simplified MPS studied  Models, analysis and results  Comments and remarks  Conclusions

Jan Uythoven, 2005, Green Light Page 3  Red light for beam operation  If we need to abort the beam, does it get dumped correctly?  Safety  Main tasks of MPS  Transmission of beam dump request  Execution of beam dump request  Historical  Afraid of missing or bad execution of a beam dump  Historical concept of ‘reliable’ beam dumping system: 1 failure per 100 years MPS: Avoid Damage Red Light

Jan Uythoven, 2005, Green Light Page 4 MPS: Allow Operation Green Light  Green light for beam operation  Does the MPS let us operate the machine?  Availability  False dump  No green light due to  Faulty ‘core equipment’ within the MPS  Fault in the surveillance system within the MPS: False Alarm

Jan Uythoven, 2005, Green Light Page 5 Aims of Machine Protection System Analysis  Availability of the MPS  System available on demand (at moment of dump request)  No false dumps are allowed  Unavailability in term of number of false dumps per year  Safety of the MPS  System available on demand (at moment of dump request)  False dumps are allowed, system remains safe  Unsafety in terms of probability per year The probability that the system terminates its task without any consequences regarding damage or loss of equipment. The probability that the system is performing the required function at a stated instant of time. And what about RELIABILITY ? RELIABILITY: The probability that the system is performing the required function for a stated PERIOD OF TIME RELIABILITY The plane is reliable if it gets me to my destination, once it is in the air SAFETY: One engine of the airplane broke down, but it landed safely at a different airport AVAILIBILITY: The plane leaves on time – on demand Processes which are not continuous; repair the plane between flights The ensemble is called DEPENDABILITY

Jan Uythoven, 2005, Green Light Page 6 Aims of Machine Protection System Analysis  Availability of the MPS  System available on demand (at moment of dump request)  No false dumps are allowed  Unavailability in term of number of false dumps per year  Safety of the MPS  System available on demand (at moment of dump request)  False dumps are allowed, system remains safe  Unsafety in terms of probability per year The probability that the system terminates its task without any consequences regarding damage or loss of equipment. The probability that the system is performing the required function at a stated instant of time.

Jan Uythoven, 2005, Green Light Page 7 Machine Protection System Simplified Architecture BIS Beam Interlock System: BIC1 (R/L) – BIC8 (R/L) BIC x Beam Interlock Controller at point x (our definition) BLM Beam Loss Monitors LBDS LHC Beam Dumping System PIC Powering Interlock Controller QPS Quench Protection System

Jan Uythoven, 2005, Green Light Page 8 Functional Architecture Used for the Calculations QPS Systems available at a dump request from point x PIC BLM BIC x BIC 1 Dump request from the control room BIC 6L LBDS Systems to be available at any dump request BIC 6R

Jan Uythoven, 2005, Green Light Page 9 Assumptions for MPS Calculations  Operational scenario  Assume 200 days/year of operation, 10 hours per run followed by post mortem, 400 fills per year  For every beam dump LBDS + (BIC+BLM+PIC+QPS) point x  Conservative for safety calculations concerning BLM, PIC and QPS  Realistic for availability calculations  Failure rates  Assume constant failure rates  Calculated in accordance to the Military Handbook 217F  Others  The system may fail only when it operates  It cannot be repaired if failed unsafe  GAME OVER The rate at which failure occurs as a function of time

Jan Uythoven, 2005, Green Light Page 10 Benefit of Diagnostics for Redundant Systems  Diagnostics is performed every 10 hours (example)  The system is recovered at full redundancy  Regeneration points  Failure rate is lower bounded by the non-redundant part /h /h

Jan Uythoven, 2005, Green Light Page 11 Assumptions for MPS Calculations … continued  Regeneration points depend on diagnostics effectiveness  Benefits from diagnostic exist for all redundant systems in the MPS SYSTEMPartial regenerationAs good as new LBDS, BIC, PIC-Post mortem at every fill QPS-Power abort or monthly inspection BLMPost mortem at every fillYearly overhaul The instant when a system is recovered to a fault free state (as good as new)

Jan Uythoven, 2005, Green Light Page 12 BEAM in the LHC Subsystem Analysis LBDS MKD Q4,MSD MKB TDE BEAM dumped Triggering + Re-triggering Dump trigger RF Powering + Surveillance Dump request BEM

Jan Uythoven, 2005, Green Light Page 13 State Transition Diagram LBDS AvailableFailed Silent faults SAFETY = available or failed safely False alarm Failed safely Undetected faults Detected faults Surveillance

Jan Uythoven, 2005, Green Light Page 14 Results for one LBDS  Results for the MKD kickers including the triggering/re-triggering systems and the powering surveillance ONE LBDSUnsafety / yearFalse dumps / year The system 1.4  (+/-1.6) Safety bottleneckMKD Magnets (coils + current cables): no surveillance False dumps bottleneckPower triggers (power supplies)

Jan Uythoven, 2005, Green Light Page 15 Some Plots Unsafety per year = 400 missions False dumps distribution per year

Jan Uythoven, 2005, Green Light Page 16 Post Mortem for LBDS  Post mortem benefit  Analyses the past fill and recovers the system to as good as new state  Gives the local beam permit to the next LHC fill.  Note  Faulty post mortem may seriously affect safety. LBDS failure rate with and without post mortem (over 10 consecutive missions) With.. Without post mortem

Jan Uythoven, 2005, Green Light Page 17 Results for the Simplified MPS SystemUnsafety/yearFalse dumps/year Average Std. Dev. Analysis includingNot included LBDS [RF] 1.4  (2X) 2.6 (2X) (+/-1.6) (Re-)triggering system,MKD (MIL-217F) BET, BEM (assumptions) MSD, Q4, MKB TDE BIC [BT] 0.7  (+/-1.3) User Boxes only (MIL-217F)BIC core, VME and permit loops BLM [GG] 1.7  (+/-2.1) Focused loss on single monitor (MIL-217F, SPS data) Design upgrades PIC [MZ] 0.5  (+/-1.2) One LHC sector (MIL-217F)PLC QPS [AV] 0.4  (+/-2.7) Complete system (MIL- 217F) Power converters for electronics OVERALL RESULTS MPS 3.3  (+/-10.5) -

Jan Uythoven, 2005, Green Light Page 18 Comment on Results Safety  Probability of failing unsafe about 300 years (Mean Time To Failure)  The punctual loss for the BLM is too conservative as a beam loss is likely to affect several monitors. If at least two monitors are concerned then BLM unsafety < 2.9  per year instead of 1.7   Optimistic method of calculation  BIC model only includes user boxes (= single point of failure)  Many systems not included in the analysis  But most critical systems should be in  Conservative method of calculation  Assumes all systems (one of each) have to be available for every beam dump  The QPS, the PIC and the BLM are not always required  LBDS itself extremely safe  Due to large redundancy in the active system and in the surveillance system

Jan Uythoven, 2005, Green Light Page 19 Comments on Results Availability  20 false dumps per year expected  5 % of all fills (+/- 2.5% std. dev.)  One third of it expected to origin from the QPS  Calculations of availability based on  About 3500 BLMs  About 4000 channels for QPS  36 PIC and 16 BIC systems  Generally  Contribution of powering system within the MPS needs to be assessed in more detail and could have been overestimated  For QPS power converters of electronics are not included. If included number of false quenches almost x 2 – see Chamonix 2003, p However, the pc could be doubled if found necessary ($)  Some systems still under development

Jan Uythoven, 2005, Green Light Page 20 Keeping in mind  Results shown for a simplified model of the MPS  Not in: beam position, RF, collimation system, post mortem  Distinction on source of dump requests could be necessary  Distinction on fraction of false dumps due to surveillance and due to the actual equipment can be interesting  Some calculations are preliminary (BIC)  Sensitivity analyses  Availability also depends on systems outside the MPS  Power converters, cryogenics, vacuum,…

Jan Uythoven, 2005, Green Light Page 21 Trading-off Safety and Availability  The MPS is a trade-off  Safety is the primary goal of the MPS while keeping the Availability acceptable  Many interlocks make the system safer BUT any faulty interlock (fail-safe) reduces the availability of the system  Therefore, Safety and Availability are correlated.  Safe beam flag  Benefit: some interlocks are maskable during non critical phases  Operational freedom, increased availability  Drawback: reliable tracking of phase changes is mandatory  If it fails, it must fail safely

Jan Uythoven, 2005, Green Light Page 22 Conclusions  Safety  Failing unsafe  3 /1000 years  Equivalent to 7.5  /h and compatible with SIL2 (10 -7 /h) of IEC standard for safety critical system  Beam dumping system itself: 7  /h: SIL4  Acceptable ?  Availability coming from MPS   20 false dumps per year, 5 % of all fills  Acceptable ?  Other systems ?  Comments  Simplified system  Importance of post mortem  Reliable safe beam flag Acknowledgements: Machine Protection Reliability Working Group Green Light from MPS:  95 % of the time