1 / 99

Risk Reduction Levels…

Risk Reduction Levels…. September 2016. benjamin.todd@cern.ch. 0. To Take Away Today. This presentation supposed to be Safety Integrity Levels… a big leap…. Start the discussion by considering Risk Reduction via Risk Analysis. risk analysis is a core part of every engineer’s toolbox

courtney
Télécharger la présentation

Risk Reduction Levels…

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Risk Reduction Levels… September 2016 benjamin.todd@cern.ch 0

  2. To Take Away Today This presentation supposed to be Safety Integrity Levels… a big leap… Start the discussion by considering Risk Reduction via Risk Analysis • risk analysis is a core part of every engineer’s toolbox • – zero risk does not exist • the context is vital • –need to consider system, machine and organisationallevel impact • If you remember only two things from today…

  3. Contents 1. Risk Analysis Safety – Protection – Plant Powering Protection Interlock Implementation 2. An Example Beam Interlock System Failure Modes Effects and Criticality Analysis

  4. Protection Functions MagnetEnergy Emergency Discharge Powering Protection: 100x energy of TEVATRON 0.000005% of beam lost into a magnet = quench 0.005% beam lost into magnet = damage BeamEnergy Beam Dump Beam Protection: Failure in protection – complete loss of LHC is possible 10-20x energy per magnet of TEVATRON magnet quenched = hours downtime many magnets quenched= days downtime magnet damaged = $1 million, months downtime many magnets damaged = many millions, many months downtime

  5. Protection Functions 100x energy of TEVATRON 0.000005% of beam lost into a magnet = quench 0.005% beam lost into magnet = damage BeamEnergy Beam Dump Beam Protection: Failure in protection – complete loss of LHC is possible Concrete Shielding Beam is ‘painted’ diameter 35cm 8m long absorber Graphite = 800°C

  6. Protection Functions 100x energy of TEVATRON 0.000005% of beam lost into a magnet = quench 0.005% beam lost into magnet = damage BeamEnergy Beam Dump Beam Protection: Failure in protection – complete loss of LHC is possible To protect against fastest failure modes ≈ 400 µs over 27km

  7. Comparison of LHC with others powering is split into sub-sectors: energy in each circuit manageable, allows for a staged commissioning [13]

  8. SPS Experiment at 450 GeV Controlled SPS experiment to qualify simulations At 450GeV … 8x1012 protons causes damage 6 cm 4x1012 6x1012 2x1012 8x1012 beam size σx/y = 1.1mm/0.6mm Plate 2mm thick 0.1% LHC Full Beam Energy! Beam in LHC is 10x smaller!! [14]

  9. Plants, Protection and Safety

  10. Safety – Protection – Plant • Vacuum Example: • maintain correct pressure Plant Systems: Fulfill operational requirements Vacuum Pressure Vacuum Pump Speed Control [11]

  11. Safety – Protection – Plant • Vacuum Example: • maintain correct pressure • bad pressure = close valves Vacuum Pressure Vacuum Valve Actuator Plant Protection: Ensure plant stays within limits Plant Systems: Fulfill operational requirements Vacuum Pressure Vacuum Pump Speed Control [11]

  12. Safety – Protection – Plant Vacuum Pressure Vacuum Valve Actuator Plant Systems: Ensure plant stays within limits Fulfill operational requirements • Sensors, Actuators and Process maybecombined • No rules regarding combination • Must meet functionalrequirement Vacuum Pump Speed Control [11]

  13. Safety – Protection – Plant Access doors Beam absorbers Personnel Safety System: People in perimeter – stop machine personnel safe but machine at risk • cannot be merged with plants • Must meet legal requirement [11]

  14. Safety – Protection – Plant Machine Protection System: Prevent damage to machine Prevent undue stress to components • No rules regarding implementation • Must meet functionalrequirement [11]

  15. Safety – Protection – Plant Machine Protection System: Prevent damage to machine Prevent undue stress to components • No rules regarding implementation • Must meet functionalrequirement powering protection closely coupled to powering plant [11]

  16. Safety – Protection – Plant Personnel Safety System: Machine Protection System: danger willexist – prevent – extract energy danger exists – protect – extract energy Plant Systems: [11]

  17. So… Each of these systems has a job to do… If they malfunction, we are in a tough situation Everything that can malfunction, will eventually malfunction… Prepare for and accept malfunction as “normal”. Build the systems using a risk-based approach e.g. Safety Systems – IEC61508 inspired

  18. Protection System Lifecycle

  19. Protection System Lifecycle systems involved in protection are unique certain technologies used have never been tried on this scale before high cost of failure development and analysis of machine protection as if it were a safety system Design System Protection System Lifecycle AssessExisting worked example Dipole Magnet Protection – 9GJ

  20. Protection System Lifecycle

  21. Protection System Lifecycle Magnet Cryogenics Power Converter Equipment Under Control

  22. 154 in series Magnet Cryogenics Power Converter Equipment Under Control

  23. prevent protect Quench Damage 154 in series Magnet Cryogenics Power Converter Equipment Under Control

  24. Hazard Chain: from Quench to Damage… • Resistive zone appears in a magnet • I2R losses begin • Zone heats up (heat propagates to neighbouring magnets) • Damage to magnets 154 in series

  25. Hazard Chain: from Quench to Damage… • Resistive zone appears in a magnet • I2R losses begin • Zone heats up (heat propagates to neighbouring magnets) • Damage to magnets 154 in series What Protection Functions and Protection Systems are in place?

  26. Turn off Power Converter = purple = 3 • Propagate Quench = orange = 2 • Extract Energy = purple = 3 • Link Related Circuits = green = 1 when quench occurs…

  27. Power Abort Detection • Turn off Power Converter = purple = 3 • Propagate Quench = orange = 2 • Extract Energy = purple = 3 • Link Related Circuits = green = 1 when quench occurs…

  28. Quench Heater • Turn off Power Converter = purple = 3 • Propagate Quench = orange = 2 • Extract Energy = purple = 3 • Link Related Circuits = green = 1 when quench occurs…

  29. Energy Extraction Loop Extraction Switch Resistor • Turn off Power Converter = purple = 3 • Propagate Quench = orange = 2 • Extract Energy = purple = 3 • Link Related Circuits = green = 1 when quench occurs…

  30. Powering Loop • Turn off Power Converter = purple = 3 • Propagate Quench = orange = 2 • Extract Energy = purple = 3 • Link Related Circuits = green = 1 when quench occurs…

  31. Escape Diode • Turn off Power Converter = purple = 3 • Propagate Quench = orange = 2 • Extract Energy= purple = 3 • Link Related Circuits = green = 1 when quench occurs…

  32. Turn off Power Converter = purple = 3 • Propagate Quench = orange = 2 • Extract Energy= purple = 3 • Link Related Circuits = green = 1 when quench occurs…

  33. classify probability and consequence using risk matrix Colour boundaries, probabilities, consequences intentionally vague = talking points risk, if function didn’t exist, according to system experts… • Turn off Power Converter = purple = 3 • Propagate Quench = orange = 2 • Extract Energy = purple = 3 • Link Related Circuits = green =1

  34. classify probability and consequence using risk matrix Colour boundaries, probabilities, consequences intentionally vague = talking points risk, if function didn’t exist, according to system experts… • Turn off Power Converter =purple = 3 • Propagate Quench =orange = 2 • Extract Energy =purple = 3 • Link Related Circuits = green =1

  35. Turn off Power Converter = purple= 3 • Propagate Quench = orange= 2 • Extract Energy = purple= 3 • Link Related Circuits = green= 1

  36. determine risk reduction level using matrix • Turn off Power Converter = purple= 3 • Propagate Quench = orange= 2 • Extract Energy = purple= 3 • Link Related Circuits = green= 1

  37. determine risk reduction level using matrix = dependability requirements • Turn off Power Converter = purple= 3 • Propagate Quench = orange= 2 • Extract Energy = purple= 3 • Link Related Circuits = green= 1

  38. determine risk reduction level using matrix = dependability requirements • Turn off Power Converter = purple= 3 • Propagate Quench = orange= 2 • Extract Energy = purple= 3 • Link Related Circuits = green= 1

  39. Turn off Power Converter = purple= 3 • Propagate Quench = orange= 2 • Extract Energy = purple= 3 • Link Related Circuits = green= 1

  40. Turn off Power Converter = purple= 3 • Propagate Quench = orange= 2 • Extract Energy = purple= 3 • Link Related Circuits = green= 1

  41. Turn off Power Converter = purple= 3 • Propagate Quench = orange= 2 • Extract Energy = purple= 3 • Link Related Circuits = green= 1

  42. How do we qualify a system meets a level? How about programmable logic? • Turn off Power Converter = purple= 3 • Propagate Quench = orange= 2 • Extract Energy = purple= 3 • Link Related Circuits = green= 1

  43. So… Each of these systems has a job to do… If they malfunction, we are in a tough situation = “risky”? Everything that can malfunction, will eventually malfunction… Prepare for and accept malfunction as “normal”. Realise functions using a high-reliability approach, determine failure rates and modes

More Related