Reliability of BLMS for the LHC.G.Guaglio, B Dehning, C. Santoni

1/16ICFA Oct 2004

LHC SIL Systems BLMS Software Results

Reliability of Beam Loss Monitors System for the Large

Hadron Collider

Reliability of Beam Loss Monitors System for the Large

Hadron Collider

Reliability of BLMS for the LHC.G.Guaglio, B Dehning, C. Santoni

2/16ICFA Oct 2004

LHC SIL Systems BLMS Software Results

LHC Superconductive MagnetsIn LHC there are:

514 main quadrupoles (MQ),1232 main dipoles (MD).

Favorite loss location: quadrupole and transitions.

We will monitor only the MQ (and some other critical locations):

• aperture changes,• larger beam size, • most sensitive location to orbit

changes.

If losses exceed a threshold, a dump signal is generated.

RF

Cleaning

section

Proton injection

Dump

Cle

anin

g se

ctio

n

Proton injection

Reliability of BLMS for the LHC.G.Guaglio, B Dehning, C. Santoni

3/16ICFA Oct 2004

LHC SIL Systems BLMS Software Results

SIL approachSafety Integrity Levels (IEC 61508): our guideline for LHC protection systems.

Events definition:frequency x gravity = event risk

Suggested-Tolerable failure rates

System design

System analysis: system failure rates

comparison

Magnet Destruction:Dangerous losses/y x Substitution downtime

False Dump:False dump/y x Recovering downtime

Destruct magnets/y

False dumps/y

Suggested-Tolerable failure rates/h

BLMS design

comparison

BLMS case

Reliability of BLMS for the LHC.G.Guaglio, B Dehning, C. Santoni

4/16ICFA Oct 2004

LHC SIL Systems BLMS Software Results

Events Definition

Prevent superconductive magnet destruction (MaDe) due to an high loss (~30 downtime days for substitution).

Avoid false dumps (FaDu) ( ~3 downtime hours to recover previous beam status).

System fault events

Reliability of BLMS for the LHC.G.Guaglio, B Dehning, C. Santoni

5/16ICFA Oct 2004

LHC SIL Systems BLMS Software Results

Frequency

< 10-4Events which are extremely unlikely to occur

Negligible / Not credible

10-4 – 10-3Events which are unlikely to occur

Improbable

10-3 – 10-2Events which are possible but not expected to occur

Remote

10-2 – 10-1Events which are possible and expected to occur

Occasional

10-1 - 1Events that are likely to occur

Probable

> 1Events which are very likely to occur

Frequent

Indicative frequency level (per year)

DescriptionCategoryTABLE 1). Frequency table used for LHC risk definition.

Reliability of BLMS for the LHC.G.Guaglio, B Dehning, C. Santoni

6/16ICFA Oct 2004

LHC SIL Systems BLMS Software Results

Gravity

< 3 days0 – 1050.001 (or 1 over 1000 accidents)

Events which may lead to minor injuries

Minor

3 to 20 days105 – 1060.01 (or 1 over 100 accidents)

Events which may lead to serious, but

not fatal, injury

Severe

20 days to 6 months

106 – 5*1070.1 (or 1 over 10 accidents)

Events capable of resulting in a fatality

Major

> 6 months> 5*107≥1Events capable of resulting in multiple

fatalities

Catastrophic

DowntimeCHF LossN. fatalities (indicative)

CriteriaDamage to equipmentInjury to personnelCategory

TABLE 1). Gravity table used for LHC risk definition.

Reliability of BLMS for the LHC.G.Guaglio, B Dehning, C. Santoni

7/16ICFA Oct 2004

LHC SIL Systems BLMS Software Results

SIL levels and failure rates

SIL 1SIL 1SIL 1SIL 2Negligible / Not Credible

SIL 1SIL 1SIL 2SIL 3Improbable

SIL 1SIL 2 SIL 2SIL 3Remote

SIL 1SIL 2SIL 3SIL 3Occasional

SIL 2SIL 3SIL 3SIL 3Probable

SIL 2SIL 3SIL 3SIL 4Frequent

MinorSevereMajorCatas-trophic

ConsequenceEvent Likelihood

10-6 < Pr < 10-5110-7 < Pr < 10-6210-8 < Pr < 10-7310-9 < Pr < 10-84

Probability of a dangerous failure per hour

SIL

For high demand /continuousmode ofoperation systems

Reliability of BLMS for the LHC.G.Guaglio, B Dehning, C. Santoni

8/16ICFA Oct 2004

LHC SIL Systems BLMS Software Results

LHC Interlocked SystemsEq

uipm

ent p

re-

serv

ing

syst

ems

(pre

vent

MaD

e)R

eact

ion

time

<10m

s>1

0sm

iddl

e

Con

nect

ed to

th

e in

terlo

ck:

FaD

uG

ener

ator

s

Res

istiv

e m

agne

ts

Fast

Bea

m C

urre

nt D

ecay

RF

Beam

Pos

ition

Mon

itors

Acce

ss

Tim

ing

LHC

Exp

erim

ents

Col

limat

ors

Vacu

um

LHC

Bea

m D

ump

Beam

Ene

rgy

Trac

king

LHC

Bea

m In

terlo

cks

Cry

ogen

ics

Que

nch

Prot

ectio

n

Beam

Los

s M

onito

rs

4 first line systems: Σ λ < 1E-7 /h

~20 dump generator systems: Σ λ < 1E-6 /h

Pow

er C

onve

rters

Reliability of BLMS for the LHC.G.Guaglio, B Dehning, C. Santoni

9/16ICFA Oct 2004

LHC SIL Systems BLMS Software Results

BLMS OverviewCurrent tofrequencyconverter

Multi-plexerLASER

DiodeDemulti-plexer

Thresholdcomparator

BIC (Dump)Beam PermitBeam EnergyVME Bus

Analogue Electronics Digital Electronics

Below Quad. in ARC

Ionization chamber

At surface (SR, SX)

Switch

Iin(t)

Referencecurrent

Tresholdcomparator

One-shot∆T

Iref

Integrator

fout1.E+06

1.E+07

1.E+08

1.E+09

1.E+10

1.E+11

1.E+12

1.E+13

1.E+14

1.E+15

1.E-02 1.E-01 1.E+00 1.E+01 1.E+02 1.E+03 1.E+04 1.E+05 1.E+06duration of loss [ms]

quen

ch le

vels

[pro

ton/

m/s

]

7 TeV

450 GeV

Reliability of BLMS for the LHC.G.Guaglio, B Dehning, C. Santoni

10/16ICFA Oct 2004

LHC SIL Systems BLMS Software Results

Dependability improvementsFail Safe DesignThe design is conceived to generate a normal status variation following a fail.

Availability ImprovementsTest (continuously, 20 hours and yearly) of detector and analog electronic, to face integral dose degradation; voting for digital part, to avoid single event effects.

Reliability ImprovementsActions against the weakest elements : redundancy(lasers, CRC, decisions table,…).

Reliability of BLMS for the LHC.G.Guaglio, B Dehning, C. Santoni

11/16ICFA Oct 2004

LHC SIL Systems BLMS Software Results

Failure RatesNotes

Failure rate λ [10-8 1/h]

840

24

Not redundant

70FPGA RX*

8.7Switch

Dose and

fluence tested

Continuous (40 µs)

2.0IntegratorExperience SPS202.5IC+cable+terminations

0.014

Redundant

3.2Photodiode20Optical fibre

202 Optical connectors510Laser200FPGA TX*

GeneralInspection interval [h]Single

Component

Reference:MIL-HDBK-217FIC calculated with 60% confidence level of no fails over 140 IC in 30 years in SPS

Reliability of BLMS for the LHC.G.Guaglio, B Dehning, C. Santoni

12/16ICFA Oct 2004

LHC SIL Systems BLMS Software Results

System failure

Front end electronicMonitor Surface

electronicDump

electronicLaser line 1

Laser line 2

OR AND

OR

Component failure rate predictions.

Assembly failure mode.

System dependability.

References:MIL-217 (electronic), Telcordia (telecommunication), IEC (electronic), NSWC (mechanical)

Failure Mode Effect and Criticality Analysis

Reliability Block DiagramFault Tree

Isograph Reliability Workbench

FPGA TX

FPGA RX

Com-binerIC Beam

interlock DUMP

Reliability of BLMS for the LHC.G.Guaglio, B Dehning, C. Santoni

13/16ICFA Oct 2004

LHC SIL Systems BLMS Software Results

FMECA analysis

1.12 an optical line fails, 2.12 an optical linefails, 3.1 an optical line fails

Availabilityreduction

3

1.1 No HT, 1.2 wrong HT, 1.7 no CFC signal, 1.9 wrong CFC signal, 1.11 No data 2.1 No HT, 2.2 wrong HT, 2.7 no CFC signal, 2.9 wrong CFC signal, 2.11 No data, 3.2 DAB false dump, 3.3 energy

unsafe, 3.5 no alimentation

False dump

2

1.3 no IC signal, 1.4 wrong IC signal, 1.5 noise variation, 1.6 noise increase, 1.8 hidden wrong CFC signal, 1.10 Blind HT 2.3 no IC signal, 2.4 wrong IC signal, 2.5 noise variation, 2.6 noise increase, 2.8

hidden wrong CFC signal, 2.10 Blind HT, 3.4 switch unsafe

Unsafemission

1

ContributorsFailureMode

EntryID

Block : BLMS

Block : 1 ID: tunnel installationLevel: 1

daily andmore

Unsafe mission

1.2.3 Degradation of Cable Insulation Resistance, 1.2.4 Cable Miscellaneous Mechanical Failures,

1.2.11 IC gas pressure change

wrong ICsignal

1.4

dailyUnsafe mission

1.2.1 Signal Cable Shorts (Poor Sealing), 1.2.2 Mechanical Failure of Cable Solder Joints

no IC signal1.3

continuousFalsedump

1.1.3 Degradation of Insulation Resistance, 1.1.4 Poor Contact Resistance, 1.1.5 Miscellaneous Mechanical

Failures

wrong HT1.2

Detection Method

EndEffects

ContributorsFailureMode

EntryID

Block : 1.2Function: Detect loss ID: IC+cable

Radiation Source

Unsafe mission

wrong signal

from IC

IC gaspressurechange

1.2.11

Surface HT

status

False dump

No HTCIC Shorted(Electrical)

1.2.5

HV modulation

Unsafe mission

No IC signal

Signal CableShorts (Poor

Sealing)

1.2.1

DetectionMethod

EndEffects

EffectsFailureMode

EntryID

Reliability of BLMS for the LHC.G.Guaglio, B Dehning, C. Santoni

14/16ICFA Oct 2004

LHC SIL Systems BLMS Software Results

0.6

0.45

0.3

0.15

0

IC

JFE

T1

JFE

T2

OPA

1

OPA

2

LA

SER

1

LA

SER

2

Rel

ativ

e im

port

ance

Importance analysis

Importance diagram

Unavailability, failure rate,…

Time profiles

Unr

elia

bilit

y

40 µs 80 µs20 h 40 h

time

Reliability of BLMS for the LHC.G.Guaglio, B Dehning, C. Santoni

15/16ICFA Oct 2004

LHC SIL Systems BLMS Software Results

Results

FaDu (no Power Supply): 2.4 10-7/h * 4000 h/y * 3200 = 3/y

Foreseen events frequency:

“Focused” dangerous losses per years: pessimistic!

Number of channels

Beam hours: 200 d*20 h/d

We are beyond the Functional limits, but tolerable for Malfunction approach: good confidence that in 20 year we will lose (less than) the 16 spares magnets and BLMS generate around 3 false dump per year.

SIL MaDe suggested rate: 2.5 10-8/h

SIL FaDu suggested rate: 5.0 10-8/h

MaDe (single channel): 5.0 10-7/h * 4000 h/y * 100 = 0.2/y

Reliability of BLMS for the LHC.G.Guaglio, B Dehning, C. Santoni

16/16ICFA Oct 2004

LHC SIL Systems BLMS Software Results

Conclusions1. Probable multi-detection per loss (further

simulations on going): MaDe OK.2. FaDu improving with better electronic

components (and better power distribution).

3. The systematic reliability approach guide the BLMS design (redundancies, testing, sensitivity evaluations).