BIW May 2004 LHCSILSystemsBLMSSoftwareResults Reliability of BLMS for the LHC. G.Guaglio, B Dehning,...

Reliability of BLMS for the LHC.

G.Guaglio, B Dehning, C. Santoni

1/15BIW May 2004

LHC SIL Systems BLMS Software Results

Reliability of Beam Loss Monitors System for the Large Hadron Collider

Reliability of Beam Loss Monitors System for the Large Hadron Collider



2/15BIW May 2004


LHC Superconductive Magnets

In LHC there are:514 main quadrupoles

(MQ),1232 main dipoles (MD).Favorite loss location:

quadrupole and transitions.

We will monitor only the MQ (and some other critical locations). If losses exceed a threshold, a dump signal is generated.

RF

Cle

anin

g

sectio

n

Proton injection

Dump

Cle

anin

g

sect

ion

Proton injection



3/15BIW May 2004


SIL approachSafety Integrity Levels (IEC 61508): our

guideline for LHC protection systems.

Events definition Event

gravity

Event frequency Suggested system

failure rateExpected (LHC) system failure rate

Faced risk

Magnet Destruction

False Dump

Substitution downtime

Recovering downtime

Dangerous losses/y

False dump/y

Suggested/Tolerable failure rates

Unavailability of protection system

Failure rate frequency

Destruct magnets/y

False dumps/y



4/15BIW May 2004


Events Definition

Prevent superconductive magnet destruction (MaDe) due to an high loss (~30 downtime days for substitution).

Avoid false dumps (FaDu) ( ~3 downtime hours to recover previous beam status).

System fault events



5/15BIW May 2004


FrequencyTABLE 1). Frequency table used for LHC risk definition.

Category Description Indicative frequency level (per year)

Frequent Events which are very likely to occur

> 1

Probable Events that are likely to occur

10-1 - 1

Occasional Events which are possible and expected to

occur

10-2 – 10-1

Remote Events which are possible but not

expected to occur

10-3 – 10-2

Improbable Events which are unlikely to occur

10-4 – 10-3

Negligible / Not credible Events which are extremely unlikely to

occur

< 10-4



6/15BIW May 2004


GravityTABLE 1). Gravity table used for LHC risk definition.

Category Injury to personnel Damage to equipment

Criteria N. fatalities (indicative)

CHF Loss Downtime

Catastrophic

Events capable of resulting in

multiple fatalities

1 > 5*107 > 6 months

Major Events capable of resulting in a

fatality

0.1 (or 1 over 10 accidents)

106 – 5*107 20 days to 6 months

Severe Events which may lead to serious, but

not fatal, injury


105 – 106 3 to 20 days

Minor Events which may lead to minor

injuries


0 – 105 < 3 days



7/15BIW May 2004


SIL levelsEvent Likelihood Consequence

Catas-trophic

Major Severe

Minor

Frequent SIL 4 SIL 3 SIL 3 SIL 2

Probable SIL 3 SIL 3 SIL 3 SIL 2

Occasional SIL 3 SIL 3 SIL 2 SIL 1

Remote SIL 3 SIL 2 SIL 2 SIL 1

Improbable SIL 3 SIL 2 SIL 1 SIL 1

Negligible / Not Credible

SIL 2 SIL 1 SIL 1 SIL 1

SIL Probability of a dangerous failure per hour

4 10-9 < Pr < 10-8

3 10-8 < Pr < 10-7

2 10-7 < Pr < 10-6

1 10-6 < Pr < 10-5

For high demand /continuousmode ofoperation systems



8/15BIW May 2004


LHC Systems

MaD

eLo

ss

Dura

tion

<10m

s>

10

sm

iddl

e

FaD

u

Resi

stiv

e

magnets

Life

tim

e

RF

Beam

posi

tion Acc

ess

Tim

ing

Experi

ments

Colli

mati

on

Vacu

um

Dum

p

Beam

Energ

y

Inte

rlock

s Cry

ogenic

s

Quench

pro

tect

ion

Beam

Loss

4 first line systems: average

2.5E-8/h

~20 dump generator systems: average 5E-8/h

Pow

er

convert

er



9/15BIW May 2004


BLMSCurrent tofrequencyconverter

Multi-plexerLASER

DiodeDemulti-plexer

Thresholdcomparator

BIC (Dump)Beam PermitBeam EnergyVME Bus

Analogue Electronics Digital Electronics

Below Quad. in ARC

Ionization chamber

At surface (SR, SX)

Switch

Iin(t)

Referencecurrent

Tresholdcomparator

One-shotT

Iref

Integrator

fout1.E+06

1.E+07

1.E+08

1.E+09

1.E+10

1.E+11

1.E+12

1.E+13

1.E+14

1.E+15

1.E-02 1.E-01 1.E+00 1.E+01 1.E+02 1.E+03 1.E+04 1.E+05 1.E+06

duration of loss [ms]

qu

en

ch

le

ve

ls [

pro

ton

/m/s

]

7 TeV

450 GeV



10/15BIW May 2004


Availability improvements

Test (continuously, 20 hours and yearly) of detector and analog electronic, to face integral dose degradation; voting for digital part, to avoid single event effects.

Actions against the weakest elements (lasers, CRC, decisions table,…):redundancy.



11/15BIW May 2004


Failure Rates

Element

Failure rate [10-8 1/h]Inspecti

on interval

[h]

NotesSingle Not

redundantRedund

ant

IC+cable+terminations

2.5

24

20 Experience SPS

Integrator 2.0

Contin

uous (4

0 s)

Dose

an

d fl

uence

te

sted

Switch 8.7

FPGA TX* 200

840 0.014

Laser 510

2 Optical connectors

20

Optical fibre 20

Photodiode 3.2

FPGA RX* 70

Reference:MIL-HDBK-217FIC calculated with 60% confidence level of no fails over 140 IC in 30 years in SPS



12/15BIW May 2004


Component failure rate predictions.

Assembly failure mode.

System dependability.

References:MIL-217 (electronic), Telcordia (telecommunication), IEC (electronic), NSWC (mechanical)

Failure Mode Effect and Criticality Analysis

Reliability Block DiagramFault Tree

Software possibilities

Front end electronic

MonitorSurface

electronicDump

electronicLaser line 1

Laser line 2

Dump line 1

Dump line 2

Dump line 3

2

System failure

FPGA TX

FPGA RX

Com-biner2oo3

ICBeam

interlockDUMP



13/15BIW May 2004


0.6

0.45

0.3

0.15

0

I C

JFE

T1

JFE

T2 OP

A1

OP

A2

LA

SER

1

LA

SER

2

Rel

ativ

e im

por

tan

ce

Software outputs

Time profiles

Importance diagram

Un

reli

abil

ity

40 s 80 s20 h 40 h

Unavailability, failure rate,…



14/15BIW May 2004


Results

FaDu (no Power Supply): 2.4 10-7/h * 4000 h/y * 3200 = 3/y

Foreseen event frequency:

“Focused” dangerous losses per years:

pessimistic!

Number of channels

Beam hours: 200 d*20 h/d

We are beyond the Functional limits, but tolerable for Malfunction approach: good confidence that in 20 year we will lose (less than) the 16 spares magnets and BLMS generate around 3 false dump per year.

SIL suggested rate: 2.5 10-8/h

SIL suggested rate: 5.0 10-8/h

5.0 10-7/h * 4000 h/y * 100 = 0.2/yMaDe (single channel):



15/15BIW May 2004


Conclusions1. Probable multi-detection per loss

(further simulations on going): MaDe OK.

2. FaDu improving with better electronic components (and better power distribution).

3. The systematic reliability approach guide the BLMS design (redundancies, testing, sensitivity evaluations).



16/15BIW May 2004


Questions?Don’t shoot

the messenger.

BIW May 2004 LHCSILSystemsBLMSSoftwareResults Reliability of BLMS for the LHC. G.Guaglio, B Dehning,...

Documents

Transcript of BIW May 2004 LHCSILSystemsBLMSSoftwareResults Reliability of BLMS for the LHC. G.Guaglio, B Dehning,...