### Topics of the Presentation

• The operational scenario

• Re-analyzing the model for the beam losses.

• Updating the model.

• Beam loss and normal conclusion.

• The general model.

• Some approximations for managing complexity.

• Trading-off safety performance (a case study).

• Conclusions.

### System DescriptionOperational Scenario

### The Beam Loss ModelBasic Assumptions

The model.

• The system includes the BLM, the BICs, the beam permit loop and the LBDS. The BEM is included in the LBDS.

• The BIC6 is kept separated from the other BICs, for the function of sending a dump request to the LBDS.

• Failure rates are assumed constant.

Beam Losses

• The likelihood of having beam losses at a certain portion is uniformly distributed along the ring and involves only one BLM at a time.

• Beam losses average rate is assumed 1/48h (200days).

Analysis.

• The probability of being available at the time of a beam loss (continuous operation, no planned dump requests).

### The Beam Loss ModelModeling the Beam Loss Event

Distribution of a single beam loss

Probability of the number of beam loss events respect to time t

Probability a beam loss occurred in[0,t]

Beam Loss Events

### The Beam Loss ModelMarkov Chain

Markov Chain

1-R(t)

T1

T2

Tn

### The Beam Loss ModelResults

P(X3): System not available at a Beam loss

1-R(m)

Model parameters setting

E{T i+1 – Ti }= 48h

E{N(t)} = 100, (t = 4800h)

P(X3): Mean System Unreliability after 100 missions of mean duration T = 48h

• The single mission terminates at a beam loss and restarts only if it has been successfully terminated.

• The overall process (one year) is a sequence of dump requests at the time of the beam loss. It is a Markov renewalprocess.

What is to update:

• The mission has a finite duration T due to the planned dump requests:

• The system configuration at a planned dump requests is in part different form the configuration needed for a beam loss.

### Updating ModelBeam Loss and Planned Dump Requests

Markov Chain

1-R(t)

1-R(t)

1-R(t)

### Updating ModelResults at the End of a 10h Operation

Unavailable at a beam loss occurred in [0,10] : P(X4)

Unavailable at a planned dump request at any time: P(X2)+P(X3)

Mission aborts distribution due to a beam loss (1/48h) over 400 missions

Probability of unsafe dump at time t=10

At time t =10h the unavailability of the system BIC1-Permit Loop-BIC6-LBDS is added

• More realistic reliability figures are obtained.

• Reliability over 1 year involves a more complex renewal process.

• System is as good as new at the start of a mission.

• Surveillance (BET, etc…) not yet included.

The next step: to include surveillance:

• Benefits: reduction of the system failure rate.

• Drawbacks: generation of dump requests.

Approximations are necessary for managing complexity.

• For the reliability of a single operation.

• For the reliability over one year.

Beam Loss Model: Unreliability over 400 missions (10h each)

Beam Loss and Planned dump requests Model: Unreliability over 400 missions (10h each)

### The Model Including SurveillanceAssumptions

Assumptions during a single mission

• A1: The probabilities are evaluated at time t = T.

• A2: All the cases leading to a dump requests are modeled and analyzed separately.

• A3: The system reliability R(T) is calculated with respect to the system configuration at the time of a dump request.

Assumptions over one year

• A4: The system is as good as new after the check (no aging and wearing).

• A5: We assume 400 LHC operation cycles per year (average).

The approximations 1,2,3 lead to a lower bound for the system reliability over one mission. The assumptions 4 can be relaxed.

### The General ModelPutting All Together

### MKDA Case Study (EPAC Paper)

• Analysis of safety and average number of false dumps of the MKD (LBDS) over one year.

### The MKD ModelRedundancy, Surveillance, Post mortem

Not-Homogeneous Markov Chain

### MKD AnalysisAssumptions

Modeling assumptions

• BEM, triggering and re-triggering systems have not been included.

• The data acquisition channels going to the BET are identical and fail always safe (dump request).

• Constant failure rates.

• The length of an LHC operation (the mission) is 10h.

• After the post mortem the system is as good as new.

### MKD AnalysisResults Over One Year (400 Missions)

### Conclusions

• The beam loss model was updated considering the conclusion due to a planned dump request

• The model is very compact although complex in the transition rates.

• To manage things at higher level needs approximations.

• The next steps:

• To analyze the contribution of surveillance in terms of safety gain and false dumps per year as shown for the MKD system.

• Sensitivity analysis and trade-off studies (safety against false dumps) of the most critical systems.

