System Theoretic Dependability Analysis of the LHC Superconducting Magnet Circuit Protection

Subject of the present work is the application of the methods STPA (System Theoretic Process Analysis) and CAST (Causal Analysis based on STAMP) to analyze the protection systems of the superconducting magnet circuit of the LHC at CERN, Geneva. The named methods are derived from the at MIT developed STAMP (System Theoretic Accident Model and Processes) accident model. The CAST method was applied to the analysis of the 2008 Incident during the Hardware Commissioning. An incorrect interconnection between two magnets damaged the accelerator severely. The analysis defines the control structure of the Commissioning and investigates every subsystem and the interaction between the components. The results were social and technical requirements. Among others, it shows the necessity for safety culture at CERN and a revision of the magnet interconnection process. The present analysis found the same root causes for the incident than a task force did in 2009. Further, the CAST analysis found more, socio-technical root causes and defined requirements to eradicate them. The second study concerns the focusing magnets enclosing the CMS and ATLAS experiments (inner triplets), which will be renewed as part of the High Luminosity Upgrade. The STPA analysis investigates the protection mechanisms of these magnets and defines a control structure. The components within this structure communicate with control actions. It is investigated, how these control actions can turn unsafe and what can cause these unsafe control actions. The results include requirements for operational safety, reliability, availability and maintainability. Especially the analysis shows, that an additional supervision unit for surveilling accidental CLIQ Unit triggering is needed. The analysis showed the safety of the protection layout of the inner triplets and added requirements for more dependability.