Reliability of Beam Loss Monitors System for the Large Hadron Collider · 2004. 10. 25. ·...
Transcript of Reliability of Beam Loss Monitors System for the Large Hadron Collider · 2004. 10. 25. ·...
Reliability of BLMS for the LHC.G.Guaglio, B Dehning, C. Santoni
1/16ICFA Oct 2004
LHC SIL Systems BLMS Software Results
Reliability of Beam Loss Monitors System for the Large
Hadron Collider
Reliability of Beam Loss Monitors System for the Large
Hadron Collider
Reliability of BLMS for the LHC.G.Guaglio, B Dehning, C. Santoni
2/16ICFA Oct 2004
LHC SIL Systems BLMS Software Results
LHC Superconductive MagnetsIn LHC there are:
514 main quadrupoles (MQ),1232 main dipoles (MD).
Favorite loss location: quadrupole and transitions.
We will monitor only the MQ (and some other critical locations):
• aperture changes,• larger beam size, • most sensitive location to orbit
changes.
If losses exceed a threshold, a dump signal is generated.
RF
Cleaning
section
Proton injection
Dump
Cle
anin
g se
ctio
n
Proton injection
Reliability of BLMS for the LHC.G.Guaglio, B Dehning, C. Santoni
3/16ICFA Oct 2004
LHC SIL Systems BLMS Software Results
SIL approachSafety Integrity Levels (IEC 61508): our guideline for LHC protection systems.
Events definition:frequency x gravity = event risk
Suggested-Tolerable failure rates
System design
System analysis: system failure rates
comparison
Magnet Destruction:Dangerous losses/y x Substitution downtime
False Dump:False dump/y x Recovering downtime
Destruct magnets/y
False dumps/y
Suggested-Tolerable failure rates/h
BLMS design
comparison
BLMS case
Reliability of BLMS for the LHC.G.Guaglio, B Dehning, C. Santoni
4/16ICFA Oct 2004
LHC SIL Systems BLMS Software Results
Events Definition
Prevent superconductive magnet destruction (MaDe) due to an high loss (~30 downtime days for substitution).
Avoid false dumps (FaDu) ( ~3 downtime hours to recover previous beam status).
System fault events
Reliability of BLMS for the LHC.G.Guaglio, B Dehning, C. Santoni
5/16ICFA Oct 2004
LHC SIL Systems BLMS Software Results
Frequency
< 10-4Events which are extremely unlikely to occur
Negligible / Not credible
10-4 – 10-3Events which are unlikely to occur
Improbable
10-3 – 10-2Events which are possible but not expected to occur
Remote
10-2 – 10-1Events which are possible and expected to occur
Occasional
10-1 - 1Events that are likely to occur
Probable
> 1Events which are very likely to occur
Frequent
Indicative frequency level (per year)
DescriptionCategoryTABLE 1). Frequency table used for LHC risk definition.
Reliability of BLMS for the LHC.G.Guaglio, B Dehning, C. Santoni
6/16ICFA Oct 2004
LHC SIL Systems BLMS Software Results
Gravity
< 3 days0 – 1050.001 (or 1 over 1000 accidents)
Events which may lead to minor injuries
Minor
3 to 20 days105 – 1060.01 (or 1 over 100 accidents)
Events which may lead to serious, but
not fatal, injury
Severe
20 days to 6 months
106 – 5*1070.1 (or 1 over 10 accidents)
Events capable of resulting in a fatality
Major
> 6 months> 5*107≥1Events capable of resulting in multiple
fatalities
Catastrophic
DowntimeCHF LossN. fatalities (indicative)
CriteriaDamage to equipmentInjury to personnelCategory
TABLE 1). Gravity table used for LHC risk definition.
Reliability of BLMS for the LHC.G.Guaglio, B Dehning, C. Santoni
7/16ICFA Oct 2004
LHC SIL Systems BLMS Software Results
SIL levels and failure rates
SIL 1SIL 1SIL 1SIL 2Negligible / Not Credible
SIL 1SIL 1SIL 2SIL 3Improbable
SIL 1SIL 2 SIL 2SIL 3Remote
SIL 1SIL 2SIL 3SIL 3Occasional
SIL 2SIL 3SIL 3SIL 3Probable
SIL 2SIL 3SIL 3SIL 4Frequent
MinorSevereMajorCatas-trophic
ConsequenceEvent Likelihood
10-6 < Pr < 10-5110-7 < Pr < 10-6210-8 < Pr < 10-7310-9 < Pr < 10-84
Probability of a dangerous failure per hour
SIL
For high demand /continuousmode ofoperation systems
Reliability of BLMS for the LHC.G.Guaglio, B Dehning, C. Santoni
8/16ICFA Oct 2004
LHC SIL Systems BLMS Software Results
LHC Interlocked SystemsEq
uipm
ent p
re-
serv
ing
syst
ems
(pre
vent
MaD
e)R
eact
ion
time
<10m
s>1
0sm
iddl
e
Con
nect
ed to
th
e in
terlo
ck:
FaD
uG
ener
ator
s
Res
istiv
e m
agne
ts
Fast
Bea
m C
urre
nt D
ecay
RF
Beam
Pos
ition
Mon
itors
Acce
ss
Tim
ing
LHC
Exp
erim
ents
Col
limat
ors
Vacu
um
LHC
Bea
m D
ump
Beam
Ene
rgy
Trac
king
LHC
Bea
m In
terlo
cks
Cry
ogen
ics
Que
nch
Prot
ectio
n
Beam
Los
s M
onito
rs
4 first line systems: Σ λ < 1E-7 /h
~20 dump generator systems: Σ λ < 1E-6 /h
Pow
er C
onve
rters
Reliability of BLMS for the LHC.G.Guaglio, B Dehning, C. Santoni
9/16ICFA Oct 2004
LHC SIL Systems BLMS Software Results
BLMS OverviewCurrent tofrequencyconverter
Multi-plexerLASER
DiodeDemulti-plexer
Thresholdcomparator
BIC (Dump)Beam PermitBeam EnergyVME Bus
Analogue Electronics Digital Electronics
Below Quad. in ARC
Ionization chamber
At surface (SR, SX)
Switch
Iin(t)
Referencecurrent
Tresholdcomparator
One-shot∆T
Iref
Integrator
fout1.E+06
1.E+07
1.E+08
1.E+09
1.E+10
1.E+11
1.E+12
1.E+13
1.E+14
1.E+15
1.E-02 1.E-01 1.E+00 1.E+01 1.E+02 1.E+03 1.E+04 1.E+05 1.E+06duration of loss [ms]
quen
ch le
vels
[pro
ton/
m/s
]
7 TeV
450 GeV
Reliability of BLMS for the LHC.G.Guaglio, B Dehning, C. Santoni
10/16ICFA Oct 2004
LHC SIL Systems BLMS Software Results
Dependability improvementsFail Safe DesignThe design is conceived to generate a normal status variation following a fail.
Availability ImprovementsTest (continuously, 20 hours and yearly) of detector and analog electronic, to face integral dose degradation; voting for digital part, to avoid single event effects.
Reliability ImprovementsActions against the weakest elements : redundancy(lasers, CRC, decisions table,…).
Reliability of BLMS for the LHC.G.Guaglio, B Dehning, C. Santoni
11/16ICFA Oct 2004
LHC SIL Systems BLMS Software Results
Failure RatesNotes
Failure rate λ [10-8 1/h]
840
24
Not redundant
70FPGA RX*
8.7Switch
Dose and
fluence tested
Continuous (40 µs)
2.0IntegratorExperience SPS202.5IC+cable+terminations
0.014
Redundant
3.2Photodiode20Optical fibre
202 Optical connectors510Laser200FPGA TX*
GeneralInspection interval [h]Single
Component
Reference:MIL-HDBK-217FIC calculated with 60% confidence level of no fails over 140 IC in 30 years in SPS
Reliability of BLMS for the LHC.G.Guaglio, B Dehning, C. Santoni
12/16ICFA Oct 2004
LHC SIL Systems BLMS Software Results
System failure
Front end electronicMonitor Surface
electronicDump
electronicLaser line 1
Laser line 2
OR AND
OR
Component failure rate predictions.
Assembly failure mode.
System dependability.
References:MIL-217 (electronic), Telcordia (telecommunication), IEC (electronic), NSWC (mechanical)
Failure Mode Effect and Criticality Analysis
Reliability Block DiagramFault Tree
Isograph Reliability Workbench
FPGA TX
FPGA RX
Com-binerIC Beam
interlock DUMP
Reliability of BLMS for the LHC.G.Guaglio, B Dehning, C. Santoni
13/16ICFA Oct 2004
LHC SIL Systems BLMS Software Results
FMECA analysis
1.12 an optical line fails, 2.12 an optical linefails, 3.1 an optical line fails
Availabilityreduction
3
1.1 No HT, 1.2 wrong HT, 1.7 no CFC signal, 1.9 wrong CFC signal, 1.11 No data 2.1 No HT, 2.2 wrong HT, 2.7 no CFC signal, 2.9 wrong CFC signal, 2.11 No data, 3.2 DAB false dump, 3.3 energy
unsafe, 3.5 no alimentation
False dump
2
1.3 no IC signal, 1.4 wrong IC signal, 1.5 noise variation, 1.6 noise increase, 1.8 hidden wrong CFC signal, 1.10 Blind HT 2.3 no IC signal, 2.4 wrong IC signal, 2.5 noise variation, 2.6 noise increase, 2.8
hidden wrong CFC signal, 2.10 Blind HT, 3.4 switch unsafe
Unsafemission
1
ContributorsFailureMode
EntryID
Block : BLMS
Block : 1 ID: tunnel installationLevel: 1
daily andmore
Unsafe mission
1.2.3 Degradation of Cable Insulation Resistance, 1.2.4 Cable Miscellaneous Mechanical Failures,
1.2.11 IC gas pressure change
wrong ICsignal
1.4
dailyUnsafe mission
1.2.1 Signal Cable Shorts (Poor Sealing), 1.2.2 Mechanical Failure of Cable Solder Joints
no IC signal1.3
continuousFalsedump
1.1.3 Degradation of Insulation Resistance, 1.1.4 Poor Contact Resistance, 1.1.5 Miscellaneous Mechanical
Failures
wrong HT1.2
Detection Method
EndEffects
ContributorsFailureMode
EntryID
Block : 1.2Function: Detect loss ID: IC+cable
Radiation Source
Unsafe mission
wrong signal
from IC
IC gaspressurechange
1.2.11
Surface HT
status
False dump
No HTCIC Shorted(Electrical)
1.2.5
HV modulation
Unsafe mission
No IC signal
Signal CableShorts (Poor
Sealing)
1.2.1
DetectionMethod
EndEffects
EffectsFailureMode
EntryID
Reliability of BLMS for the LHC.G.Guaglio, B Dehning, C. Santoni
14/16ICFA Oct 2004
LHC SIL Systems BLMS Software Results
0.6
0.45
0.3
0.15
0
IC
JFE
T1
JFE
T2
OPA
1
OPA
2
LA
SER
1
LA
SER
2
Rel
ativ
e im
port
ance
Importance analysis
Importance diagram
Unavailability, failure rate,…
Time profiles
Unr
elia
bilit
y
40 µs 80 µs20 h 40 h
time
Reliability of BLMS for the LHC.G.Guaglio, B Dehning, C. Santoni
15/16ICFA Oct 2004
LHC SIL Systems BLMS Software Results
Results
FaDu (no Power Supply): 2.4 10-7/h * 4000 h/y * 3200 = 3/y
Foreseen events frequency:
“Focused” dangerous losses per years: pessimistic!
Number of channels
Beam hours: 200 d*20 h/d
We are beyond the Functional limits, but tolerable for Malfunction approach: good confidence that in 20 year we will lose (less than) the 16 spares magnets and BLMS generate around 3 false dump per year.
SIL MaDe suggested rate: 2.5 10-8/h
SIL FaDu suggested rate: 5.0 10-8/h
MaDe (single channel): 5.0 10-7/h * 4000 h/y * 100 = 0.2/y
Reliability of BLMS for the LHC.G.Guaglio, B Dehning, C. Santoni
16/16ICFA Oct 2004
LHC SIL Systems BLMS Software Results
Conclusions1. Probable multi-detection per loss (further
simulations on going): MaDe OK.2. FaDu improving with better electronic
components (and better power distribution).
3. The systematic reliability approach guide the BLMS design (redundancies, testing, sensitivity evaluations).