1 / 15

First Risk Analysis for the LHCb V ertex D etector S ystem

First Risk Analysis for the LHCb V ertex D etector S ystem. Purpose Framework model taken from CERN CSAMS functional analysis of VDS estimation of downtime for various tasks Identified undesired events for VDS design (july’00) Summary and outlook. Purpose of Risk Analysis.

livia
Download Presentation

First Risk Analysis for the LHCb V ertex D etector S ystem

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. First Risk Analysis for the LHCb Vertex Detector System • Purpose • Framework • model taken from CERN CSAMS • functional analysis of VDS • estimation of downtime for various tasks • Identified undesired events for VDS design (july’00) • Summary and outlook Massimiliano Ferro-Luzzi, CERN/EP

  2. Purpose of Risk Analysis • To provide an objective basis for a constructive and methodical evaluation of the VDS design. • comprehensive overview of all (major) risks involved • what risk scenarios, what consequences, what probabilities to occur ? • requirements/recommendations for a given design choice • what tests should be performed and what results obtained to make the chosen option acceptable ? • basis for a later, more detailed risk analysis • f.i. risk of “injuries to personnel” are not assessed in details, but believed to be  downtime and CHF loss risks Massimiliano Ferro-Luzzi, CERN/EP

  3. Framework of Risk Analysis • Use model defined in • “CERN Safety Alarms Monitoring System Functional and Safety Requirements”, IT-2694/ST, September 2000. • (1) Identify undesired event (UE) • (2) Determine the consequence category of UE • (3) Use predefined table to fix maximum allowable frequency (MAF) • (4) Determine required frequency by reducing MAF by factor 100 Massimiliano Ferro-Luzzi, CERN/EP

  4. Framework: frequency categories Indicative frequency CategoryDescription level (per year) Frequent Events which are very likely to occur > 1 in the facility during its life time Probable Events which are likely to occur 10-1 - 1 in the facility during its life time Occasional Events which are possible and expected 10-2 - 10-1 to occur in the facility during its life time Remote Events which are possible but not expected 10-3 - 10-2 to occur in the facility during its life time Improbable Events which are unlikely to occur in the 10-4 - 10-3 facility during its life time Negligible Events which are extremely unlikely to < 10-4 occur in the facility during its life time Massimiliano Ferro-Luzzi, CERN/EP

  5. Framework: consequence categories Dominant criterium CategoryInjury to personnelLoss in CHFDowntime (indicative) (indicative) (indicative) Catastrophic Events capable of resulting > 108 > 3 months in multiple fatalities Major Events capable of resulting 106 - 108 1 week to 3 months in a fatality Severe Events which may lead 104 - 106 4 hours to 1 week to serious, but not fatal injury Minor Events which may lead 0- 104 < 4 hours to minor injuries Massimiliano Ferro-Luzzi, CERN/EP

  6. Framework: risk classification table max allowable frequency FrequencyConsequence category category Catastrophic Major Severe Minor Frequent I I I II Probable I I II III Occasional I II III III Remote II III III IV Improbable III III IV IV Negligible IV IV IV IV required frequency Legend: I = intolerable risk II = undesirable but tolerable if risk reduction is out of proportion III = tolerable if risk reduction “exceeds” improvement gained IV = negligible risk Massimiliano Ferro-Luzzi, CERN/EP

  7. Functional Analysis • Within context of risk analysis, consider 3 main modes of operation: • Normal • ring valves open full aperture of VD < 54 mm • normal running mode for LHCb physics • Standby • ring valves open full aperture of VD > 54 mm • e.g. beam filling/tuning, scheduled dump • (in some cases LHCb might take data) • Isolated • ring valves closed full aperture of VD is any • e.g. hall access, remote-controlled or in-situ maintenance Massimiliano Ferro-Luzzi, CERN/EP

  8. Assumptions • If the NEGs are exposed to ambient air (even if at low pressure) •  heating is needed after the subsequent pump-down ! • This assumes that • * we need a minimum pumping capacity from the NEGs • and/or • * the desorption yields of such exposed NEGs are not low enough • If primary vacuum system vented with ultrapure Ar/Ne •  heating is not needed (NEGs are unaffected, C. Benvenuti & P. Chiggiato) check! A. Rossi check! M.P. Lozano Massimiliano Ferro-Luzzi, CERN/EP

  9. Downtime estimations • Needed to assess gravity of a given undesired event! • Tasks: • granting general access to experimental zone 1 hour ? • granting access to VD area  1 shift ? • bring VDS to atmospheric pressure (and room temperature)  1 shift ? • preparation tasks around LHCb beam pipe for heating NEGs 6 shifts ? • replacement of an LHCb beam pipe section 6 shifts ? • pump down to pressure appropriate for NEG heating 3 shifts ? • heating of NEGs 3 shifts ? • pump down to pressure appropriate for beam filling 3 shifts ? • reverse of above “preparation tasks for heating NEGs” 6 shifts ? • Evacuation and closing of experimental zone 1 hour ? • (some tasks can proceed in parallel !) Massimiliano Ferro-Luzzi, CERN/EP

  10. Undesired Events UE-1: Damaged feedthrough pin in secondary vacuum UE-2: Loss of electrical power UE-3: CO2 cooling system goes down UE-4: Leak in CO2 cooling pipe UE-5: Uncontrolled beam displacement UE-6: Ion-getter pump goes down UE-7: Turbomolecular pump station goes down UE-8: Bellow between secondary & primary vacua breaks UE-9: Jamming of detector halves motion mechanics UE-10: Bellow between air & primary vacuum breaks . . . Massimiliano Ferro-Luzzi, CERN/EP

  11. Sample Undesired Event • UE-1a: Damaged feedthrough pin in secondary vacuum • Assumptions: • due to human action  mode Isolated (ring valves closed) • leak rate into 2ary vacuum small enough that safety valves stay closed • leak rate to 1ary vacuum < outgassing rate of 1ary vacuum • VDS can be brought to atmospheric pressure according to normal • procedure with Ar/Ne ( 1 shift) • Estimated damage: • 1ary vacuum not exposed to air  no NEG heating needed • replace feedthrough flange (1 shift) • pump down (6 shifts) •  LHC loss  0 CHF, LHC downtime < 3 days •  category: Severe • Requirements/remarks: see • required frequency: Remote (see experience with LEP/SPS/... ?) • precautions: countersink flange connectors, tighten cable connectors, • tighten cables, use of a protective cage around feedthroughs, ... Prove! Prove! Massimiliano Ferro-Luzzi, CERN/EP

  12. Sample Undesired Event (continued) • UE-1b: as UE-1a but differential pressure triggers safety valves to open • Assumptions: • as in UE-1a except that leak rate into 2ary vacuum is such that safety • valves open • leak rate to 1ary vacuum  substantial fraction of leak rate to 2ary vacuum • VDS can be brought to atmospheric pressure according to normal • procedure with dry gas (N2) • Estimated damage: (compare to UE-1a) • 1ary vacuum exposed to air  NEG heating needed (3 additional days) • service/inspect pumps, thin foil, … (1 additional day) •  LHC loss  0 CHF, LHC downtime  1 week (but longer for LHCb !) •  category: Severe • Requirements/remarks: • required frequency: Remote • demonstrate that breaking of feedthrough pin will in most cases not be followed by • a differential pressure increase which triggers safety valves to open • e.g. this probability should be < 0.1, if actual frequency of UE-1a is Occasional ? Massimiliano Ferro-Luzzi, CERN/EP

  13. Sample Undesired Event (continued) • UE-1c: as UE-1b but all safety devices fail to protect the thin-walled box • Assumptions: • as in UE-1b except that electrically activated valve, gravity-controlled safety • valve (and rupture disc, pcrit 10 mbar) fail to protect the thin-walled box • Estimated damage: (compare to UE-1b) • as in UE-1b, but the thin-walled box (and perhaps some Si modules ?) must • be replaced • debris (if any) must be collected ? • LHCb beam pipe must be refurbished ? •  LHC loss  ? CHF, LHC downtime  ? weeks •  category: Major • Requirements/remarks: • required frequency: Improbable • demonstrate that probability for coincidental failure is < 0.1, if actual • frequency of UE-1b is Remote Massimiliano Ferro-Luzzi, CERN/EP

  14. Some Precautions / Recommendations(to be discussed further) • Closed and controlled area around VD system (dust-free, humidity controlled) • All servicing and maintenance operations performed by qualified • personnel exclusively • Interlock between hall access doors and ring valves • (force to close valves when hall access granted) • Safety of the beam pipe: foresee protection structures ? • Interlocks/alarms between VD and LHC control systems • Foresee spare parts for “critical scenarios” (which are allowed to hinder LHCb • operation, if unavoidable!) so that LHC beam conditions can readily be restored: • dummy wake field guide to replace Si housings • dummy beam pipe to replace VD tank & RICH section (?) • ... Massimiliano Ferro-Luzzi, CERN/EP

  15. Summary and Outlook • Gather more info on • downtime and “CHF loss” estimations Daniel Lacarrère, Juan Ramon Knaster, Martin Doets, et al. • (dynamic) vacuum properties of (saturated) NEGs Paolo Chiggiato, Maria Pilar Lozano, et al. • beam handling failure scenarios Oliver Brüning, Rudiger Schmidt, et al. • Risk analysis will be publicized in the form of an LHCb note • with only one of two possible conclusions (needed for TDR): • (1) it is not a viable solution (there are unsurmountable obstacles) • (2) it is an acceptable solutionif this and this is done, checked, etc. • Perform required tests before installation into LHC This is were the work is! Massimiliano Ferro-Luzzi, CERN/EP

More Related