Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Will We Ever Get The Green Light For Beam Operation? J. Uythoven & R. Filippini For the Reliability Working Group Sub Working Group of the MPWG.

Published byEvan Moody Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Will We Ever Get The Green Light For Beam Operation? J. Uythoven & R. Filippini For the Reliability Working Group Sub Working Group of the MPWG."— Presentation transcript:

1 1 Will We Ever Get The Green Light For Beam Operation? J. Uythoven & R. Filippini For the Reliability Working Group Sub Working Group of the MPWG

2 Jan Uythoven, AB/BTChamonix@CERN 2005, Green Light Page 2 Topics of the Presentation  LHC Machine Protection System (MPS)  Red / green light to LHC operations  ‘Reliability’ concerns  Safety and Availability  The simplified MPS studied  Models, analysis and results  Comments and remarks  Conclusions

3 Jan Uythoven, AB/BTChamonix@CERN 2005, Green Light Page 3  Red light for beam operation  If we need to abort the beam, does it get dumped correctly?  Safety  Main tasks of MPS  Transmission of beam dump request  Execution of beam dump request  Historical  Afraid of missing or bad execution of a beam dump  Historical concept of ‘reliable’ beam dumping system: 1 failure per 100 years MPS: Avoid Damage Red Light

4 Jan Uythoven, AB/BTChamonix@CERN 2005, Green Light Page 4 MPS: Allow Operation Green Light  Green light for beam operation  Does the MPS let us operate the machine?  Availability  False dump  No green light due to  Faulty ‘core equipment’ within the MPS  Fault in the surveillance system within the MPS: False Alarm

5 Jan Uythoven, AB/BTChamonix@CERN 2005, Green Light Page 5 Aims of Machine Protection System Analysis  Availability of the MPS  System available on demand (at moment of dump request)  No false dumps are allowed  Unavailability in term of number of false dumps per year  Safety of the MPS  System available on demand (at moment of dump request)  False dumps are allowed, system remains safe  Unsafety in terms of probability per year The probability that the system terminates its task without any consequences regarding damage or loss of equipment. The probability that the system is performing the required function at a stated instant of time. And what about RELIABILITY ? RELIABILITY: The probability that the system is performing the required function for a stated PERIOD OF TIME RELIABILITY The plane is reliable if it gets me to my destination, once it is in the air SAFETY: One engine of the airplane broke down, but it landed safely at a different airport AVAILIBILITY: The plane leaves on time – on demand Processes which are not continuous; repair the plane between flights The ensemble is called DEPENDABILITY

6 Jan Uythoven, AB/BTChamonix@CERN 2005, Green Light Page 6 Aims of Machine Protection System Analysis  Availability of the MPS  System available on demand (at moment of dump request)  No false dumps are allowed  Unavailability in term of number of false dumps per year  Safety of the MPS  System available on demand (at moment of dump request)  False dumps are allowed, system remains safe  Unsafety in terms of probability per year The probability that the system terminates its task without any consequences regarding damage or loss of equipment. The probability that the system is performing the required function at a stated instant of time.

7 Jan Uythoven, AB/BTChamonix@CERN 2005, Green Light Page 7 Machine Protection System Simplified Architecture BIS Beam Interlock System: BIC1 (R/L) – BIC8 (R/L) BIC x Beam Interlock Controller at point x (our definition) BLM Beam Loss Monitors LBDS LHC Beam Dumping System PIC Powering Interlock Controller QPS Quench Protection System

8 Jan Uythoven, AB/BTChamonix@CERN 2005, Green Light Page 8 Functional Architecture Used for the Calculations QPS Systems available at a dump request from point x PIC BLM BIC x BIC 1 Dump request from the control room BIC 6L LBDS Systems to be available at any dump request BIC 6R

9 Jan Uythoven, AB/BTChamonix@CERN 2005, Green Light Page 9 Assumptions for MPS Calculations  Operational scenario  Assume 200 days/year of operation, 10 hours per run followed by post mortem, 400 fills per year  For every beam dump LBDS + (BIC+BLM+PIC+QPS) point x  Conservative for safety calculations concerning BLM, PIC and QPS  Realistic for availability calculations  Failure rates  Assume constant failure rates  Calculated in accordance to the Military Handbook 217F  Others  The system may fail only when it operates  It cannot be repaired if failed unsafe  GAME OVER The rate at which failure occurs as a function of time

10 Jan Uythoven, AB/BTChamonix@CERN 2005, Green Light Page 10 Benefit of Diagnostics for Redundant Systems  Diagnostics is performed every 10 hours (example)  The system is recovered at full redundancy  Regeneration points  Failure rate is lower bounded by the non-redundant part 10 -7 /h 10 -4 /h

11 Jan Uythoven, AB/BTChamonix@CERN 2005, Green Light Page 11 Assumptions for MPS Calculations … continued  Regeneration points depend on diagnostics effectiveness  Benefits from diagnostic exist for all redundant systems in the MPS SYSTEMPartial regenerationAs good as new LBDS, BIC, PIC-Post mortem at every fill QPS-Power abort or monthly inspection BLMPost mortem at every fillYearly overhaul The instant when a system is recovered to a fault free state (as good as new)

12 Jan Uythoven, AB/BTChamonix@CERN 2005, Green Light Page 12 BEAM in the LHC Subsystem Analysis LBDS MKD Q4,MSD MKB TDE BEAM dumped Triggering + Re-triggering Dump trigger RF Powering + Surveillance Dump request BEM

13 Jan Uythoven, AB/BTChamonix@CERN 2005, Green Light Page 13 State Transition Diagram LBDS AvailableFailed Silent faults SAFETY = available or failed safely False alarm Failed safely Undetected faults Detected faults Surveillance

14 Jan Uythoven, AB/BTChamonix@CERN 2005, Green Light Page 14 Results for one LBDS  Results for the MKD kickers including the triggering/re-triggering systems and the powering surveillance ONE LBDSUnsafety / yearFalse dumps / year The system 1.4  10 -7 2.6 (+/-1.6) Safety bottleneckMKD Magnets (coils + current cables): no surveillance False dumps bottleneckPower triggers (power supplies)

15 Jan Uythoven, AB/BTChamonix@CERN 2005, Green Light Page 15 Some Plots Unsafety per year = 400 missions False dumps distribution per year

16 Jan Uythoven, AB/BTChamonix@CERN 2005, Green Light Page 16 Post Mortem for LBDS  Post mortem benefit  Analyses the past fill and recovers the system to as good as new state  Gives the local beam permit to the next LHC fill.  Note  Faulty post mortem may seriously affect safety. LBDS failure rate with and without post mortem (over 10 consecutive missions) With.. Without post mortem

17 Jan Uythoven, AB/BTChamonix@CERN 2005, Green Light Page 17 Results for the Simplified MPS SystemUnsafety/yearFalse dumps/year Average Std. Dev. Analysis includingNot included LBDS [RF] 1.4  10 -7 (2X) 2.6 (2X) (+/-1.6) (Re-)triggering system,MKD (MIL-217F) BET, BEM (assumptions) MSD, Q4, MKB TDE BIC [BT] 0.7  10 -3 1.6 (+/-1.3) User Boxes only (MIL-217F)BIC core, VME and permit loops BLM [GG] 1.7  10 -3 4.8 (+/-2.1) Focused loss on single monitor (MIL-217F, SPS data) Design upgrades PIC [MZ] 0.5  10 -3 1.5 (+/-1.2) One LHC sector (MIL-217F)PLC QPS [AV] 0.4  10 -3 7.7 (+/-2.7) Complete system (MIL- 217F) Power converters for electronics OVERALL RESULTS MPS 3.3  10 -3 20.6 (+/-10.5) -

18 Jan Uythoven, AB/BTChamonix@CERN 2005, Green Light Page 18 Comment on Results Safety  Probability of failing unsafe about 300 years (Mean Time To Failure)  The punctual loss for the BLM is too conservative as a beam loss is likely to affect several monitors. If at least two monitors are concerned then BLM unsafety < 2.9  10 -6 per year instead of 1.7  10 -3  Optimistic method of calculation  BIC model only includes user boxes (= single point of failure)  Many systems not included in the analysis  But most critical systems should be in  Conservative method of calculation  Assumes all systems (one of each) have to be available for every beam dump  The QPS, the PIC and the BLM are not always required  LBDS itself extremely safe  Due to large redundancy in the active system and in the surveillance system

19 Jan Uythoven, AB/BTChamonix@CERN 2005, Green Light Page 19 Comments on Results Availability  20 false dumps per year expected  5 % of all fills (+/- 2.5% std. dev.)  One third of it expected to origin from the QPS  Calculations of availability based on  About 3500 BLMs  About 4000 channels for QPS  36 PIC and 16 BIC systems  Generally  Contribution of powering system within the MPS needs to be assessed in more detail and could have been overestimated  For QPS power converters of electronics are not included. If included number of false quenches almost x 2 – see Chamonix 2003, p. 209. However, the pc could be doubled if found necessary ($)  Some systems still under development

20 Jan Uythoven, AB/BTChamonix@CERN 2005, Green Light Page 20 Keeping in mind  Results shown for a simplified model of the MPS  Not in: beam position, RF, collimation system, post mortem  Distinction on source of dump requests could be necessary  Distinction on fraction of false dumps due to surveillance and due to the actual equipment can be interesting  Some calculations are preliminary (BIC)  Sensitivity analyses  Availability also depends on systems outside the MPS  Power converters, cryogenics, vacuum,…

21 Jan Uythoven, AB/BTChamonix@CERN 2005, Green Light Page 21 Trading-off Safety and Availability  The MPS is a trade-off  Safety is the primary goal of the MPS while keeping the Availability acceptable  Many interlocks make the system safer BUT any faulty interlock (fail-safe) reduces the availability of the system  Therefore, Safety and Availability are correlated.  Safe beam flag  Benefit: some interlocks are maskable during non critical phases  Operational freedom, increased availability  Drawback: reliable tracking of phase changes is mandatory  If it fails, it must fail safely

22 Jan Uythoven, AB/BTChamonix@CERN 2005, Green Light Page 22 Conclusions  Safety  Failing unsafe  3 /1000 years  Equivalent to 7.5  10 -7 /h and compatible with SIL2 (10 -7 /h) of IEC-61508 standard for safety critical system  Beam dumping system itself: 7  10 -11 /h: SIL4  Acceptable ?  Availability coming from MPS   20 false dumps per year, 5 % of all fills  Acceptable ?  Other systems ?  Comments  Simplified system  Importance of post mortem  Reliable safe beam flag Acknowledgements: Machine Protection Reliability Working Group Green Light from MPS:  95 % of the time

Download ppt "1 Will We Ever Get The Green Light For Beam Operation? J. Uythoven & R. Filippini For the Reliability Working Group Sub Working Group of the MPWG."

Similar presentations

26 Apr 2004RSWG G.Guaglio 1/4 Reliability Sub-Working Group False Dumps generation.

26 Apr 2004RSWG G.Guaglio 1/4 Reliability Sub-Working Group False Dumps generation.
Jan Uythoven, AB/BTLHCCWG, 3 May 2006 Page 1 450 GeV Commissioning Machine Protection Needs to be commissioned to: Prevent damage with the used, higher.

Jan Uythoven, AB/BTLHCCWG, 3 May 2006 Page GeV Commissioning Machine Protection Needs to be commissioned to: Prevent damage with the used, higher.
Etienne CARLIER AB/BT/EC

Etienne CARLIER AB/BT/EC
12/03/2013MPP Workshop Annecy Update on Beam Failure Scenarios Jan Uythoven Thanks to: T.Baer, R.Schmidt, J.Wenninger, D.Wollmann, M.Zerlauth, other MPP.

12/03/2013MPP Workshop Annecy Update on Beam Failure Scenarios Jan Uythoven Thanks to: T.Baer, R.Schmidt, J.Wenninger, D.Wollmann, M.Zerlauth, other MPP.
LHC UPS Systems and Configurations: Changes during the LS1 V. Chareyre / EN-EL LHC Beam Operation Committee 11 February 2014 EDMS No. 1354977111/02/2014.

LHC UPS Systems and Configurations: Changes during the LS1 V. Chareyre / EN-EL LHC Beam Operation Committee 11 February 2014 EDMS No /02/2014.
Concept & architecture of the machine protection systems for FCC

Concept & architecture of the machine protection systems for FCC
Failure mode impact studies and LV system commissioning tests

Failure mode impact studies and LV system commissioning tests
Beam Dumping System – Failure Scenarios Brennan Goddard, CERN AB/BT How the dump system can fail Catalogue of primary failures Failure classes and protection.

Beam Dumping System – Failure Scenarios Brennan Goddard, CERN AB/BT How the dump system can fail Catalogue of primary failures Failure classes and protection.
Technical review on UPS power distribution of the LHC Beam Dumping System (LBDS) Anastasia PATSOULI TE-ABT-EC Proposals for LBDS Powering Improvement 1.

Technical review on UPS power distribution of the LHC Beam Dumping System (LBDS) Anastasia PATSOULI TE-ABT-EC Proposals for LBDS Powering Improvement 1.
The Architecture, Design and Realisation of the LHC Beam Interlock System Machine Protection Review – 12 th April 2005.

The Architecture, Design and Realisation of the LHC Beam Interlock System Machine Protection Review – 12 th April 2005.
Preconditions for operating at 5 TeV in 2010 Session 1 - 25 th January 2010 J. Wenninger BE/OP How to safely reach higher energies and intensities? Settings.

Preconditions for operating at 5 TeV in 2010 Session th January 2010 J. Wenninger BE/OP How to safely reach higher energies and intensities? Settings.
LHC Beam Dump System Technical Audit Trigger Synchronisation Unit.

LHC Beam Dump System Technical Audit Trigger Synchronisation Unit.
BIW May 2004 LHCSILSystemsBLMSSoftwareResults Reliability of BLMS for the LHC. G.Guaglio, B Dehning, C. Santoni 1/15 Reliability of Beam Loss Monitors.

BIW May 2004 LHCSILSystemsBLMSSoftwareResults Reliability of BLMS for the LHC. G.Guaglio, B Dehning, C. Santoni 1/15 Reliability of Beam Loss Monitors.
Distribution of machine parameters over GMT in the PS, SPS and future machines J. Serrano, AB-CO-HT TC 6 December 2006.

Distribution of machine parameters over GMT in the PS, SPS and future machines J. Serrano, AB-CO-HT TC 6 December 2006.
Drive beam magnets powering strategy Serge Pittet, Daniel Siemaszko CERN, Electronic Power Converter Group (TE-EPC) 20.10.2010 OUTLINE : Suggestion of.

Drive beam magnets powering strategy Serge Pittet, Daniel Siemaszko CERN, Electronic Power Converter Group (TE-EPC) OUTLINE : Suggestion of.
1 LBDS Testing Before Operation Jan Uythoven (AB/BT) Based on the work of many people in the KSL, EC and TL sections.

1 LBDS Testing Before Operation Jan Uythoven (AB/BT) Based on the work of many people in the KSL, EC and TL sections.
Chamonix 20091 Risks due to UPS malfunctioning Impact on the Superconducting Circuit Protection System Hugues Thiesen Acknowledgments:K. Dahlerup-Petersen,

Chamonix Risks due to UPS malfunctioning Impact on the Superconducting Circuit Protection System Hugues Thiesen Acknowledgments:K. Dahlerup-Petersen,
B. Todd et al. 25 th August 2009 Observations Since 2005 0v1.

B. Todd et al. 25 th August 2009 Observations Since v1.
Premature Dumps in 2011 Acknowledgements: A.Macpherson, G.Papotti, M.Zerlauth M.Albert LHC Beam Operation Workshop December 2011.

Premature Dumps in 2011 Acknowledgements: A.Macpherson, G.Papotti, M.Zerlauth M.Albert LHC Beam Operation Workshop December 2011.
LBDS overview on system analysis and design upgrades during LS1 Roberto Filippini, Etienne Carlier, Nicolas Magnin, Jan Uythoven CERN Workshop Machine.

LBDS overview on system analysis and design upgrades during LS1 Roberto Filippini, Etienne Carlier, Nicolas Magnin, Jan Uythoven CERN Workshop Machine.

Similar presentations

Ads by Google